• Sat. Oct 14th, 2023

The Gamaredon Organization That Steals Data in 30 minutes, is Combated by Cyber Defenders

Avatar photo

ByEsme Greene

Aug 20, 2023
Cyber defenders combat 30-minute Gamaredon
Esme Greene
Latest posts by Esme Greene (see all)

The Gamaredon hacking organization, capable of stealing data from networks within an hour after intrusion, is being warned about by the Rapid Response Team for Computer Incidents of Ukraine (CERT-UA).

Gamaredon, also known as Armageddon, UAC-0010, Shuckworm, Actinium, Iron Tilden, Primitive Bear, and Trident Ursa, often attacked vital IT infrastructure and governmental institutions in Ukraine with targeted assaults.

How the Attacks Operate

Gamaredon assaults often start with a message sent over Signal, WhatsApp, or Telegram. The attackers use deceptive attachments that seem like Microsoft Word or Excel documents to deceive the victim into opening the infected files. Malicious PowerShell scripts and GammaSteel malware are downloaded and run on the victim’s computer as a result of running files. 

A dangerous macro that can transmit the Gamaredon virus to other systems is added to all papers written on compromised PCs’ Microsoft Word templates by the hackers. The PowerShell script also records session information from browser cookies, giving hackers access to victim accounts that are two-factor authenticated (2FA).

According to CERT-UA, the “GammaSteel” virus targets files with the following extensions:.doc,.docx,.xls,.xlsx,.rtf,.odt,.txt,.jpg,.jpeg,.pdf,.ps1,.rar,.zip,.7z, and.mdb. Within 30 to 50 minutes, the attacker exports documents of interest. A week can pass before a hacked machine becomes infected, which is another characteristic of Gamaredon assaults. 

Additionally, criminals have a week to upload up to 120 harmful files to a machine they have infected, raising the risk of re-infection. In other words, it will re-infect additional files if at least one infected file or document is left after the system cleaning procedure.

Gamaredon also immediately infects any USB device that is connected, spreading to unconnected networks. Additionally, between three and six times each day, cybercriminals modify the IP addresses of intermediary C2servers, making it challenging to stop activity or find hackers.

According to CERT-UA, preventing or restricting the unauthorized execution of the applications “mshta.exe”, “wscript.exe”, “cscript.exe”, and “powershell.exe” is the most efficient technique to lessen the impact of Gamaredon attacks.

Agency argues that rather than destruction, Gamaredon’s efforts focus more on information theft and espionage. Earlier, Palo Alto Networks researchers reported that in August 2022, the Gamaredon group made an unsuccessful attack to a major oil refinery in a NATO member country.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.