Register now for better personalized quote!

HOT NEWS

Network Footprints of Gamaredon Group

Dec, 16, 2024 Hi-network.com

Below research is reflecting our observations during month of March 2022. We also would like to thank Maria Jose Erquiaga for her contribution in introduction and support during the process of writing.


Overview

As the Russian-Ukrainian war continues over conventional warfare, cybersecurity professionals witnessed their domain turning into a real frontier. Threat actors picking sides [1], group members turning against each other [2], some people handing out DDoS tools [3], some people blending in to turn it into profit [4], and many other stories, proving that this new frontier is changing daily, and its direct impact is not limited to geographical boundaries.

While attacks seem to be evolving daily, it is challenging for one to stay up to date with all that is going around. Therefore, we believe that it is important to distinguish between information and actionable intelligence. In Cisco Global Threat Alerts, we would like to share our observations related to this conflict during March of 2022 and discover how we can turn them into actionable intelligence together.

Threat Actors in the Russian-Ukrainian Conflict

Since the rapid escalation of the conflict in 2022, security researchers and analysts have been gathering information regarding the adversarial groups, malware, techniques, and types of attacks implemented [1, 5, 6]. Some of the groups and malware related to the conflict are described in Table 1:

Threat ActorMalwareLocation
Gamaredon[7]Pteranodon[8]Crimea
Sandworm[9]CyclopsBlink[10]Russia
WizardSpider[11]Cobalt Strike[12], Emotet[13], Conti[14], Ryuk[15], Trickbot[16]Russia

Table 1: Threat actors and their relations

Gamaredon

Gamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an advanced persistent threat (APT) based in Russia. Their activities can be traced back as early as 2013, prior to Russia's annexation of the Crimean Peninsula. They are known to target state institutions of Ukraine and western government entities located in Ukraine. Ukrainian officials attribute them to Russian Federal Security Service, also known as FSB [17].

Gamaredon often leverages malicious office files, distributed through spear phishing as the first stage of their attacks. They are known to use a PowerShell beacon called PowerPunch to download and execute malware for ensuing stages of attacks. Pterodo and QuietSieve are popular malware families that they deploy for stealing information and various actions on objective [18].

We were able to collect network IoC's related to Gamaredon infrastructure. During our initial analysis, most of the indicators were not attributed directly to any specific malware and they were rather listed as part of Gamaredon's infrastructure. Therefore, we wanted to analyze their infrastructure to understand their arsenal and deployment in greater detail.

Network Infrastructure

The first part of this research is focused on WHOIS record analysis. We observed that Gamaredon domains were dominantly registered by REG[.]RU. Creation dates are going back as early as February 2019 and have a changing pattern for the registrant email. Until August 2020, we observed that message-yandex.ru@mail[.]ru was the main registrant email. Later, it shifted to macrobit@inbox[.]ru, mixed with the occasional usage of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Domain creation dates in some of the WHOIS records are as recent as March 2022.

Other than WHOIS information, the domains we observed that were related to Gamaredon campaigns had a distinguishing naming convention. While dataset consisted of domain names (without TLDs) varying between 4 to 16 characters, 70% percent of them were between 7 to 10 characters. Combined with a limited group of top-level domains (TLDs) used (see Table 2), this leads us to a naming pattern for further attribution. Additionally, the usage of TLDs on domain creation seems to be rotating.

TLDDistributionTLD Usage
online42.07%08/2020-02/2021,02/2022
xyz29.47%06/2022-08/2022, 02/2022-03/2022
ru14.22%08/2020, 05/2021-02/2022
site8.94%07/2020-02/2021
space2.64%02/2019-06/2020

Table 2: TLD distribution and time in use

In the case of domain resolutions, we aimed to analyze the distribution of autonomous system numbers (ASN) used by resolved IP addresses (see Table 3). Once more, the owner REG[.]RU is leading the list, owning most of the domains. TimeWeb was the second this time, with 28% of the domains we found to be related to Gamaredon activities. Domains having '. online' and '.ru' TLDs are regularly updating their IP resolutions, almost daily.

OwnerASNPopular NetworksDistribution
REG.RU, LtdAS197695194.67.71.0/24
194.67.112.0/24
194.58.100.0/24
194.58.112.0/24
194.58.92.0/24
89.108.81.0/24
45.93%
TimeWeb Ltd.AS9123185.104.114.0/24
188.225.77.0/24
188.225.82.0/24
94.228.120.0/24
94.228.123.0/24
28.25%
EuroByte LLCAS21007995.183.12.42/3210.56%
AS-CHOOPAAS20473139.180.196.149/325.08%
LLC BaxetAS5165945.135.134.139/32
91.229.91.124/32
2.23%
System Service Ltd.AS50448109.95.211.0/241.82%

Table 3: Distribution of IP addresses per ASN and owner

Tooling

After understanding the infrastructure, let's proceed with their arsenal. We looked at associated file samples for the domains through Umbrella and Virustotal. A sample of the results can be seen below. Referring to a file type, we can see that the Gamaredon group prefers malicious office documents with macros. Also, they are known to use Pterodo, which is a constantly evolving custom backdoor [8, 18].

DomainHashTypeMalware
acetica[.]online4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52Office Open XML DocumentGroooboor
arvensis[.]xyz03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2fOffice Open XML DocumentGroooboor
email-smtp[.]online404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83Office Open XML DocumentGroooboor
gurmou[.]sitef9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86bOffice Open XML DocumentGroooboor
mail-check[.]ru41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4Office Open XML DocumentGroooboor
office360-expert[.]online611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608Office Open XML DocumentGroooboor
achilleas[.]xyzf021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3dOffice Open XML DocumentMacro enabled Word Trojan
anisoptera[.]online8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030adMS Word DocumentMacro enabled Word Trojan
erythrocephala[.]online4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573Office Open XML DocumentMacro enabled Word Trojan
hamadryas[.]online9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418Office Open XML DocumentMacro enabled Word Trojan
intumescere[.]online436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360MS Word DocumentMacro enabled Word Trojan
limosa[.]online0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343fMS Word DocumentMacro enabled Word Trojan
mesant[.]online936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442aMS Word DocumentMacro enabled Word Trojan
sufflari[.]online13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36MS Word DocumentMacro enabled Word Trojan
apusa[.]xyz23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029Win32 DLLPterodo
atlanticos[.]sitef5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1VBAPterodo
barbatus[.]online250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbcVBAPterodo
bitsadmin2[.]spacecfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6bWin32 EXEPterodo
bitsadmin3[.]space9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971fWin32 EXEPterodo
bonitol[.]online3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcfVBAPterodo
buhse[.]xyzaa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492Office Open XML DocumentPterodo
calendas[.]ru17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286Win32 EXEPterodo
coagula[.]onlinec3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0fMS Word DocumentPterodo
corolain[.]ru418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82Win32 EXEPterodo
gorigan[.]ru1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4Win32 EXEPterodo
gorimana[.]site90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273MS Word DocumentPterodo
krashand[.]ru11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840aWin32 EXEPterodo
libellus[.]ru4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3Win32 EXEPterodo
melitaeas[.]online55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6Office Open XML DocumentPterodo
mullus[.]online31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfcWin32 EXEPterodo
upload-dt[.]hopto[.]org4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7MS Word DocumentPterodo

Table 4: Domains, files (hash and type), and malware name associated to the Gamaredon group

After reviewing the behaviors of the associated malicious samples, it is easier to build attribution between the malicious domain and the corresponding sample. IP addresses resolved by the domain are later used to establish raw IP command and control (C2) communication with a distinguishing URL pattern. 

tag-icon Hot Tags :

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.
Our company's operations and information are independent of the manufacturers' positions, nor a part of any listed trademarks company.