The Russia-linked Gamaredon hacking group attempted to compromise an unnamed Western government entity operating in Ukraine last month amidst ongoing geopolitical tensions between the two countries.
Palo Alto Networks’ Unit 42 threat intelligence team, in a new report publicized on February 3, said that the phishing attack took place on January 19, adding it “mapped out three large clusters of their infrastructure used to support different phishing and malware purposes.”
The threat actor, also known as Shuckworm, Armageddon, or Primitive Bear, has historically focused its offensive cyber attacks against Ukrainian government officials and organizations since 2013. Last year, Ukraine disclosed the collective’s ties to Russia’s Federal Security Service (FSB).
To carry out the phishing attack, the operators behind the campaign leveraged a job search and employment platform within the country as a conduit to upload their malware downloader in the form of a resume for an active job listing related to the targeted entity.
“Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization,” the researchers noted.
Additionally, Unit 42 uncovered evidence of a Gamaredon campaign targeting the State Migration Service (SMS) of Ukraine on December 1, 2021, which used a Word document as a lure to install the open-source UltraVNC virtual network computing (VNC) software for maintaining remote access to infected computers.
“Gamaredon actors pursue an interesting approach when it comes to building and maintaining their infrastructure,” researchers said. “Most actors choose to discard domains after their use in a cyber campaign in order to distance themselves from any possible attribution. However, Gamaredon’s approach is unique in that they appear to recycle their domains by consistently rotating them across new infrastructure.”
Taken together, the attack infrastructure spans across no fewer than 700 rogue domains, 215 IP addresses, and over 100 samples of malware, with the clusters used to host weaponized documents that are engineered to execute malicious code when opened and serve as command-and-control servers for its Pterodo (aka Pteranodon) remote access trojan.
The findings arrive less than a week after Broadcom-owned Symantec revealed details of another attack orchestrated by the same group between July and August 2021 targeting an unidentified Ukrainian organization to deploy the Pterodo RAT for post-exploitation activities.