Gamaredon Group

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

The Gamaredon group, a threat actor active since at least 2013, uses sophisticated techniques to execute malicious campaigns. Notably, they employ signed binaries (T1116) in their operations and utilize tools coded in C/C++, C#, batch file, and VBScript. Despite the relative simplicity of their tools, the group has demonstrated innovative capabilities, such as deploying an Outlook VBA module. Their strategy involves installing multiple scripts and executables on each system and regularly updating them, making it challenging for defenders to counteract their activities. The group's activities have evolved over time, with recent developments indicating an increased complexity in their operations. Check Point's analysis reveals that the Gamaredon group typically conducts large-scale campaigns, followed by intelligence-gathering activities. They've also developed a new tool called "LitterDrifter," which appears to be an evolution from a previously reported USB Powershell worm tied to the group. This tool aligns with the group's objectives, maintaining a persistent command and control (C2) channel across a wide range of targets. Despite their fast development pace, the Gamaredon group occasionally exhibits a lack of attention to detail, as evidenced by issues that were later fixed in subsequent versions of their modules. Silent Push's investigation into the group's rapid flux operation further underscores this point. Users of AutoFocus, a contextual threat intelligence service, can view malware associated with the group's attacks using the Gamaredon Group tag. In summary, the group's remote template retrieves a VBS script to execute, establishing a persistent C2 check-in and retrieving the next payload when the group is ready for the next phase.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Armageddon	1	Armageddon, also known as the Gamaredon Group, is a threat actor that has been operational since around 2013 or 2014. This group comprises regular officers of the Russian Federal Security Service (FSB) and some former law enforcement officers from Ukraine. Armageddon has been particularly active in

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Worm

Wiper

T1500

T1083

Lateral Move...

T1080

Apt

Outlook

Github

T1199

Malware

T1085

T1053

T1027

T1112

T1116

T1221

T1534

T1039

T1113

T1071

T1193

T1064

T1106

T1204

T1060

T1140

T1005

T1119

T1020

Payload

Decoy

Spearphishing

Russia

Espionage

Downloader

T1137

Backdoor

T1025

russian

Ukrainian

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Litterdrifter	Unspecified	2	LitterDrifter is a malicious software (malware) that has been identified as a tool of the Russian Advanced Persistent Threat (APT) group, Gamaredon. This malware is particularly insidious as it is spread via USB drives, allowing for both direct and indirect infection of targeted systems. It was init

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Gamaredon	Unspecified	4	Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Gamaredon Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	7 months ago	Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? \| McAfee Blog
Securityaffairs	8 months ago	Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
Checkpoint	8 months ago	Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research
CERT-EU	10 months ago	Hacker Group Infrastructure That Uses Weaponized MS Word Docs Uncovered
MITRE	a year ago	Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
MITRE	a year ago	The Gamaredon Group Toolset Evolution
MITRE	a year ago	Gamaredon group grows its game \| WeLiveSecurity
CSO Online	a year ago	Views of a hot cyberwar — the Ukrainian perspective on Russia’s online assault
CERT-EU	a year ago	APT Cloud Atlas: Unbroken Threat