Gamaredon Group

Threat Actor updated 2 months ago (2024-11-29T13:31:52.930Z)
Download STIX
Preview STIX
The Gamaredon group, a threat actor active since at least 2013, uses sophisticated techniques to execute malicious campaigns. Notably, they employ signed binaries (T1116) in their operations and utilize tools coded in C/C++, C#, batch file, and VBScript. Despite the relative simplicity of their tools, the group has demonstrated innovative capabilities, such as deploying an Outlook VBA module. Their strategy involves installing multiple scripts and executables on each system and regularly updating them, making it challenging for defenders to counteract their activities. The group's activities have evolved over time, with recent developments indicating an increased complexity in their operations. Check Point's analysis reveals that the Gamaredon group typically conducts large-scale campaigns, followed by intelligence-gathering activities. They've also developed a new tool called "LitterDrifter," which appears to be an evolution from a previously reported USB Powershell worm tied to the group. This tool aligns with the group's objectives, maintaining a persistent command and control (C2) channel across a wide range of targets. Despite their fast development pace, the Gamaredon group occasionally exhibits a lack of attention to detail, as evidenced by issues that were later fixed in subsequent versions of their modules. Silent Push's investigation into the group's rapid flux operation further underscores this point. Users of AutoFocus, a contextual threat intelligence service, can view malware associated with the group's attacks using the Gamaredon Group tag. In summary, the group's remote template retrieves a VBS script to execute, establishing a persistent C2 check-in and retrieving the next payload when the group is ready for the next phase.
Description last updated: 2024-05-04T16:42:55.124Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Worm
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Litterdrifter Malware is associated with Gamaredon Group. LitterDrifter is a malicious software (malware) that has been identified as a tool of the Russian Advanced Persistent Threat (APT) group, Gamaredon. This malware is particularly insidious as it is spread via USB drives, allowing for both direct and indirect infection of targeted systems. It was initUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gamaredon Threat Actor is associated with Gamaredon Group. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement oUnspecified
4
Source Document References
Information about the Gamaredon Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more