Focus Mode
Threat Research

The GamaCopy organization, which imitates the Russian Gamaredon, uses military related content as bait to launch attacks on Russia

admin
The GamaCopy organization, which imitates the Russian Gamaredon, uses military related content as bait to launch attacks on Russia
This article discusses the discovery of attack samples targeting Russian-speaking entities, utilizing military-related content as bait, and employing the open-source tool UltraVNC for subsequent actions. The attacks mimic the tactics of the Gamaredon organization, leading to the attribution of these activities to the GamaCopy group. Affected: Russian-speaking targets, Gamaredon organization, GamaCopy organization

Keypoints :

  • Attack samples were discovered during threat hunting targeting Russian-speaking entities.
  • Both samples used military facility-related content as bait.
  • The 7z self-extracting program was employed to release and load payloads.
  • UltraVNC, an open-source remote desktop tool, was used for subsequent attack behaviors.
  • The tactics used by the attackers resemble those of the Gamaredon organization.
  • The attack activity is believed to be a false flag operation to mislead security vendors.
  • Attribution analysis suggests the attack samples may belong to either Gamaredon or GamaCopy.
  • GamaCopy has been active since at least August 2021 and has targeted Russia’s defense sectors.
  • Differences in attack methods between Gamaredon and GamaCopy were noted, particularly in the use of ports and bait languages.

MITRE Techniques :

  • TA0001 – Initial Access: The attackers used military-related documents to lure victims.
  • TA0002 – Execution: Utilized 7z SFX to execute commands and load subsequent payloads.
  • TA0003 – Persistence: The script created persistence through renamed executable files.
  • TA0005 – Defense Evasion: Employed obfuscation techniques to complicate static analysis.
  • TA0007 – Command and Control: Used UltraVNC to connect to a command server while disguising the process.

Indicator of Compromise :

  • [file hash] c9ffc90487ddcb4bb0540ea4e2a1ce040740371bb0f3ad70e36824d486058349
  • [file hash] a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53
  • [file hash] afcbaae700e1779d3e0abe52bf0f085945fc9b6935f7105706b1ab4a823f565f
  • [file hash] 2da473d1f510d0ddbae074a6c13953863c25be479acedc899c5529ec55bd2a65
  • [file hash] 2b2da38b62916c448235038f09c51f226d96087df531b9a508e272b9e87c909d
  • Check the article for all found IoCs.

Full Research: https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa

Tags: THREAT HUNTING, CRITICAL INFRASTRUCTURE, APT, RUSSIA, TOOL, HUNTING, INITIAL ACCESS, DEFENSE EVASION