Gamaredon Group

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
The Gamaredon group, a threat actor active since at least 2013, uses sophisticated techniques to execute malicious campaigns. Notably, they employ signed binaries (T1116) in their operations and utilize tools coded in C/C++, C#, batch file, and VBScript. Despite the relative simplicity of their tools, the group has demonstrated innovative capabilities, such as deploying an Outlook VBA module. Their strategy involves installing multiple scripts and executables on each system and regularly updating them, making it challenging for defenders to counteract their activities. The group's activities have evolved over time, with recent developments indicating an increased complexity in their operations. Check Point's analysis reveals that the Gamaredon group typically conducts large-scale campaigns, followed by intelligence-gathering activities. They've also developed a new tool called "LitterDrifter," which appears to be an evolution from a previously reported USB Powershell worm tied to the group. This tool aligns with the group's objectives, maintaining a persistent command and control (C2) channel across a wide range of targets. Despite their fast development pace, the Gamaredon group occasionally exhibits a lack of attention to detail, as evidenced by issues that were later fixed in subsequent versions of their modules. Silent Push's investigation into the group's rapid flux operation further underscores this point. Users of AutoFocus, a contextual threat intelligence service, can view malware associated with the group's attacks using the Gamaredon Group tag. In summary, the group's remote template retrieves a VBS script to execute, establishing a persistent C2 check-in and retrieving the next payload when the group is ready for the next phase.
What's your take? (Question 1 of 2)
9215ac96-0be1-4af3-b667-4cab6e280884 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Worm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LitterdrifterUnspecified
2
LitterDrifter is a malicious software (malware) that has been identified as a tool of the Russian Advanced Persistent Threat (APT) group, Gamaredon. This malware is particularly insidious as it is spread via USB drives, allowing for both direct and indirect infection of targeted systems. It was init
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GamaredonUnspecified
4
Gamaredon is a threat actor, or hacking team, believed to be Russian in origin and has been actively tracked since 2013. The group primarily targets Ukraine using malicious documents that deliver a range of home-brewed malware. The European Union's Computer Emergency Response Team (EU CERT) cites Ga
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gamaredon Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Gamaredon group grows its game | WeLiveSecurity
MITRE
6 months ago
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? | McAfee Blog
CERT-EU
a year ago
APT Cloud Atlas: Unbroken Threat
Checkpoint
6 months ago
Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research
CERT-EU
9 months ago
Hacker Group Infrastructure That Uses Weaponized MS Word Docs Uncovered
CSO Online
a year ago
Views of a hot cyberwar — the Ukrainian perspective on Russia’s online assault
Securityaffairs
6 months ago
Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
MITRE
a year ago
The Gamaredon Group Toolset Evolution
MITRE
a year ago
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine