February 08, 2022

Gamaredon/ACTINIUM & Ukraine

Industry: N/A | Level: Tactical | Source: Microsoft & Palo Alto Unit42

In-depth research, by Palo Alto Unit24 and Microsoft Threat Intelligence Center (MSTIC), found threat group, Gamaredon/ACTINIUM, has been actively targeting organizations in the Ukraine. From Microsoft’s latest reports, the group’s objectives are focused on cyber-espionage. The threat group’s intentions are “exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB). Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis.” An active advanced infrastructure is leveraged by the threat group, with DNS records rotated daily, with an excess of 700 observed domains. A variety of initial staging techniques are used by the group following the execution of the malicious phishing attachment. These techniques can be used alone of in combination, VBScripts, PowerShell, self-extracting archives, or LNK files. The group is constantly changing tactics to evade detection. Frequent use of schtasks is observed by the group for persistence to ensure access for intelligence collection.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Invoke-Expression Command
    • Create/Modify Schtasks
    • Compressed File Execution