21.8 C
New York
Sunday, September 22, 2024

Community Footprints of Gamaredon Group

Share To Your Friends

[ad_1]

Beneath analysis is reflecting our observations throughout month of March 2022. We additionally wish to thank Maria Jose Erquiaga for her contribution in introduction and help in the course of the strategy of writing.


Overview

Because the Russian-Ukrainian warfare continues over typical warfare, cybersecurity professionals witnessed their area turning into an actual frontier. Menace actors choosing sides [1], group members turning towards one another [2], some individuals handing out DDoS instruments [3], some individuals mixing in to show it into revenue [4], and plenty of different tales, proving that this new frontier is altering each day, and its direct affect just isn’t restricted to geographical boundaries.

Whereas assaults appear to be evolving each day, it’s difficult for one to remain updated with all that’s going round. Subsequently, we imagine that you will need to distinguish between data and actionable intelligence. In Cisco World Menace Alerts, we wish to share our observations associated to this battle throughout March of 2022 and uncover how we are able to flip them into actionable intelligence collectively.

Menace Actors within the Russian-Ukrainian Battle

For the reason that fast escalation of the battle in 2022, safety researchers and analysts have been gathering data concerning the adversarial teams, malware, methods, and varieties of assaults carried out [1, 5, 6]. Among the teams and malware associated to the battle are described in Desk 1:

Menace Actor Malware Location
Gamaredon [7] Pteranodon [8] Crimea
Sandworm [9] CyclopsBlink [10] Russia
WizardSpider [11] Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] Russia

Desk 1: Menace actors and their relations

Gamaredon

Gamaredon group, often known as Primitive Bear, Shuckworm and ACTINIUM, is a sophisticated persistent menace (APT) based mostly in Russia. Their actions may be traced again as early as 2013, previous to Russia’s annexation of the Crimean Peninsula. They’re identified to focus on state establishments of Ukraine and western authorities entities positioned in Ukraine. Ukrainian officers attribute them to Russian Federal Safety Service, often known as FSB [17].

Gamaredon typically leverages malicious workplace information, distributed by way of spear phishing as the primary stage of their assaults. They’re identified to make use of a PowerShell beacon referred to as PowerPunch to obtain and execute malware for ensuing levels of assaults. Pterodo and QuietSieve are fashionable malware households that they deploy for stealing data and varied actions on goal [18].

We had been in a position to gather community IoC’s associated to Gamaredon infrastructure. Throughout our preliminary evaluation, a lot of the indicators weren’t attributed on to any particular malware and so they had been relatively listed as a part of Gamaredon’s infrastructure. Subsequently, we wished to research their infrastructure to know their arsenal and deployment in better element.

Community Infrastructure

The primary a part of this analysis is targeted on WHOIS document evaluation. We noticed that Gamaredon domains had been dominantly registered by REG[.]RU. Creation dates are going again as early as February 2019 and have a altering sample for the registrant electronic mail. Till August 2020, we noticed that message-yandex.ru@mail[.]ru was the principle registrant electronic mail. Later, it shifted to macrobit@inbox[.]ru, blended with the occasional utilization of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Area creation dates in among the WHOIS data are as latest as March 2022.

Apart from WHOIS data, the domains we noticed that had been associated to Gamaredon campaigns had a distinguishing naming conference. Whereas dataset consisted of domains (with out TLDs) various between 4 to 16 characters, 70% p.c of them had been between 7 to 10 characters. Mixed with a restricted group of top-level domains (TLDs) used (see Desk 2), this leads us to a naming sample for additional attribution. Moreover, the utilization of TLDs on area creation appears to be rotating.

TLD Distribution TLD Utilization
on-line 42.07% 08/2020-02/2021,02/2022
xyz 29.47% 06/2022-08/2022, 02/2022-03/2022
ru 14.22% 08/2020, 05/2021-02/2022
web site 8.94% 07/2020-02/2021
area 2.64% 02/2019-06/2020

Desk 2: TLD distribution and time in use

Within the case of area resolutions, we aimed to research the distribution of autonomous system numbers (ASN) utilized by resolved IP addresses (see Desk 3). As soon as extra, the proprietor REG[.]RU is main the checklist, proudly owning a lot of the domains. TimeWeb was the second this time, with 28% of the domains we discovered to be associated to Gamaredon actions. Domains having ‘. on-line’ and ‘.ru’ TLDs are recurrently updating their IP resolutions, virtually each day.

Proprietor ASN Common Networks Distribution
REG.RU, Ltd AS197695 194.67.71.0/24
194.67.112.0/24
194.58.100.0/24
194.58.112.0/24
194.58.92.0/24
89.108.81.0/24
45.93%
TimeWeb Ltd. AS9123 185.104.114.0/24
188.225.77.0/24
188.225.82.0/24
94.228.120.0/24
94.228.123.0/24
28.25%
EuroByte LLC AS210079 95.183.12.42/32 10.56%
AS-CHOOPA AS20473 139.180.196.149/32 5.08%
LLC Baxet AS51659 45.135.134.139/32
91.229.91.124/32
2.23%
System Service Ltd. AS50448 109.95.211.0/24 1.82%

Desk 3: Distribution of IP addresses per ASN and proprietor

Tooling

After understanding the infrastructure, let’s proceed with their arsenal. We checked out related file samples for the domains by way of Umbrella and Virustotal. A pattern of the outcomes may be seen under. Referring to a file sort, we are able to see that the Gamaredon group prefers malicious workplace paperwork with macros. Additionally, they’re identified to make use of Pterodo, which is a continuously evolving customized backdoor [8, 18].

Area Hash Kind Malware
acetica[.]on-line 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52 Workplace Open XML Doc Groooboor
arvensis[.]xyz 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f Workplace Open XML Doc Groooboor
email-smtp[.]on-line 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83 Workplace Open XML Doc Groooboor
gurmou[.]web site f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b Workplace Open XML Doc Groooboor
mail-check[.]ru 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4 Workplace Open XML Doc Groooboor
office360-expert[.]on-line 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608 Workplace Open XML Doc Groooboor
achilleas[.]xyz f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d Workplace Open XML Doc Macro enabled Phrase Trojan
anisoptera[.]on-line 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad MS Phrase Doc Macro enabled Phrase Trojan
erythrocephala[.]on-line 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573 Workplace Open XML Doc Macro enabled Phrase Trojan
hamadryas[.]on-line 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418 Workplace Open XML Doc Macro enabled Phrase Trojan
intumescere[.]on-line 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360 MS Phrase Doc Macro enabled Phrase Trojan
limosa[.]on-line 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f MS Phrase Doc Macro enabled Phrase Trojan
mesant[.]on-line 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a MS Phrase Doc Macro enabled Phrase Trojan
sufflari[.]on-line 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36 MS Phrase Doc Macro enabled Phrase Trojan
apusa[.]xyz 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029 Win32 DLL Pterodo
atlanticos[.]web site f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 VBA Pterodo
barbatus[.]on-line 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc VBA Pterodo
bitsadmin2[.]area cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b Win32 EXE Pterodo
bitsadmin3[.]area 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f Win32 EXE Pterodo
bonitol[.]on-line 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf VBA Pterodo
buhse[.]xyz aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492 Workplace Open XML Doc Pterodo
calendas[.]ru 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286 Win32 EXE Pterodo
coagula[.]on-line c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f MS Phrase Doc Pterodo
corolain[.]ru 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82 Win32 EXE Pterodo
gorigan[.]ru 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 Win32 EXE Pterodo
gorimana[.]web site 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273 MS Phrase Doc Pterodo
krashand[.]ru 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a Win32 EXE Pterodo
libellus[.]ru 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3 Win32 EXE Pterodo
melitaeas[.]on-line 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6 Workplace Open XML Doc Pterodo
mullus[.]on-line 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc Win32 EXE Pterodo
upload-dt[.]hopto[.]org 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7 MS Phrase Doc Pterodo

Desk 4: Domains, information (hash and sort), and malware title related to the Gamaredon group

After reviewing the behaviors of the related malicious samples, it’s simpler to construct attribution between the malicious area and the corresponding pattern. IP addresses resolved by the area are later used to ascertain uncooked IP command and management (C2) communication with a distinguishing URL sample. The next instance reveals how 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and makes use of its IP tackle to construct a C2 URL (http|https<IP>/<random alphanumerical string>). Subsequently, DNS and outgoing internet visitors is essential for its detection.

Determine 1: IP tackle resolutions of gorigan[.]ru
Determine 2: URL connections to resolved IP addresses (supply: Virustotal)

Detecting Gamaredon Exercise with World Menace Alerts 

In Cisco World Menace Alerts, we’re monitoring the Gamaredon group underneath the Gamaredon Exercise menace object. The menace description is enriched with MITRE references (see Determine 3).

Determine 3: Menace description of Gamaredon exercise, together with MITRE methods and techniques (supply: Cisco World Menace Alerts)

Determine 4 reveals a detection pattern of Gamaredon exercise. Observe that the contaminated system tried to speak with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which gave the impression to be sinkholed to the OpenDNS IP tackle of 146.112.61.[.]107.

Determine 4: Gamaredon group detection instance (supply: Cisco World Menace Alerts)

Conclusion

We’ve walked by way of the steps of manufacturing intelligence from data we’ve collected. We started our evaluation with an unattributed checklist of community IoC’s and had been in a position to establish distinctive patterns of their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware households. Subsequent, we confirmed how we turned it right into a detection of the Gamaredon group displayed within the Cisco World Menace Alerts portal.

To your comfort, right here’s a abstract of the intelligence we developed on this weblog put up:

Aliases Primitive Bear, Shuckworm, ACTINIUM
Kind Menace Actor
Originating From Russia
Targets Ukranian State Organizations
Malware used Pterodo, Groooboor
File Kind Macro enabled workplace information, Win32 Exe, VBA
TLD’s used .on-line, .xyz, .ru, .web site, .area
ASN’s used REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd.

 

References

[1] Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff

[2] Conti ransomware’s inside chats leaked after siding with Russia: https://www.bleepingcomputer.com/information/safety/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/

[3] Hackers sound name to arms with digital weapon aimed toward Russian web sites: https://cybernews.com/information/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/

[4] Menace advisory: Cybercriminals compromise customers with malware disguised as pro-Ukraine cyber instruments: https://weblog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html

[5] Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations

[6] What You Have to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/

[7] Gamaredon: https://assault.mitre.org/teams/G0047/

[8] Pteranodon: https://assault.mitre.org/software program/S0147/

[9] Sandworm: https://assault.mitre.org/teams/G0034/

[10] Menace Advisory: Cyclops Blink: https://weblog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html

[11] Wizard Spider: https://assault.mitre.org/teams/G0102/

[12] Cobalt Strike: https://assault.mitre.org/software program/S0154

[13] Emotet: https://assault.mitre.org/software program/S0367

[14] Conti: https://assault.mitre.org/software program/S0575

[15] Ryuk: https://assault.mitre.org/software program/S0446

[16] TrickBot: https://assault.mitre.org/software program/S0446

[17] Technical Report Gamaredon/Armageddon group: https://ssu.gov.ua/uploads/information/DKIB/Technicalpercent20reportpercent20Armagedon.pdf

[18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/safety/weblog/2022/02/04/actinium-targets-ukrainian-organizations/


We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels

Instagram
Fb
Twitter
LinkedIn

Share:



[ad_2]


Share To Your Friends

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles