Gamaredon Group

Threat Actor updated 4 months ago (2024-05-04T17:19:10.738Z)
Download STIX
Preview STIX
The Gamaredon group, a threat actor active since at least 2013, uses sophisticated techniques to execute malicious campaigns. Notably, they employ signed binaries (T1116) in their operations and utilize tools coded in C/C++, C#, batch file, and VBScript. Despite the relative simplicity of their tools, the group has demonstrated innovative capabilities, such as deploying an Outlook VBA module. Their strategy involves installing multiple scripts and executables on each system and regularly updating them, making it challenging for defenders to counteract their activities. The group's activities have evolved over time, with recent developments indicating an increased complexity in their operations. Check Point's analysis reveals that the Gamaredon group typically conducts large-scale campaigns, followed by intelligence-gathering activities. They've also developed a new tool called "LitterDrifter," which appears to be an evolution from a previously reported USB Powershell worm tied to the group. This tool aligns with the group's objectives, maintaining a persistent command and control (C2) channel across a wide range of targets. Despite their fast development pace, the Gamaredon group occasionally exhibits a lack of attention to detail, as evidenced by issues that were later fixed in subsequent versions of their modules. Silent Push's investigation into the group's rapid flux operation further underscores this point. Users of AutoFocus, a contextual threat intelligence service, can view malware associated with the group's attacks using the Gamaredon Group tag. In summary, the group's remote template retrieves a VBS script to execute, establishing a persistent C2 check-in and retrieving the next payload when the group is ready for the next phase.
Description last updated: 2024-05-04T16:42:55.124Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Worm
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
LitterdrifterUnspecified
2
LitterDrifter is a malicious software (malware) that has been identified as a tool of the Russian Advanced Persistent Threat (APT) group, Gamaredon. This malware is particularly insidious as it is spread via USB drives, allowing for both direct and indirect infection of targeted systems. It was init
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
GamaredonUnspecified
4
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been identified as a significant threat actor in the cybersecurity landscape. Notably, it has employed the USB worm LitterDrifter in a series of cyberattacks against Ukraine, demonstrating its capacity for sophisticated and disruptive
Source Document References
Information about the Gamaredon Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
9 months ago
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? | McAfee Blog
Securityaffairs
10 months ago
Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
Checkpoint
10 months ago
Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research
CERT-EU
a year ago
Hacker Group Infrastructure That Uses Weaponized MS Word Docs Uncovered
MITRE
2 years ago
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
MITRE
2 years ago
The Gamaredon Group Toolset Evolution
MITRE
2 years ago
Gamaredon group grows its game | WeLiveSecurity
CSO Online
a year ago
Views of a hot cyberwar — the Ukrainian perspective on Russia’s online assault
CERT-EU
a year ago
APT Cloud Atlas: Unbroken Threat