CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram

admin by admin
January 21, 2023
in Information Security


Jan 20, 2023Ravie LakshmananCyber War / Cyber Attack

The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.

“The Gamaredon group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload,” the BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. “This kind of technique to infect target systems is new.”

Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults aimed at Ukrainian entities since at least 2013.

Last month, Palo Alto Networks Unit 42 disclosed the threat actor’s unsuccessful attempts to break into an unnamed petroleum refining company within a NATO member state amid the Russo-Ukrainian war.

Attack chains mounted by the threat actor have employed legitimate Microsoft Office documents originating from Ukrainian government organizations as lures in spear-phishing emails to deliver malware capable of harvesting sensitive information.

These documents, when opened, load a malicious template from a remote source (a technique called remote template injection), effectively getting around the need to enable macros in order to breach target systems and propagate the infection.

The latest findings from BlackBerry demonstrate an evolution in the group’s tactics, wherein a hard-coded Telegram channel is used to fetch the IP address of the server hosting the malware. The IP addresses are periodically rotated to fly under the radar.

To that end, the remote template is designed to fetch a VBA script, which drops a VBScript file that then connects to the IP address specified in the Telegram channel to fetch the next-stage – a PowerShell script that, in turn, reaches out to a different IP address to obtain a PHP file.

This PHP file is tasked with contacting another Telegram channel to retrieve a third IP address that contains the final payload, which is an information-stealing malware that was previously revealed by Cisco Talos in September 2022.

It’s also worth pointing out that the heavily obfuscated VBA script is only delivered if the target’s IP address is located in Ukraine.

“The threat group changes IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out,” BlackBerry pointed out.

“The fact that the suspect IP addresses change only during Eastern European working hours strongly suggests that the threat actor works from one location, and with all probability belongs to an offensive cyber unit that deploys malicious operations against Ukraine.”

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) attributed a destructive malware attack targeting the National News Agency of Ukraine to the Russia-linked Sandworm hacking group.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Initiativesofbusinessarchitecture ~ Future of CIO

Next Post

Initiativesofarchitecture

Related Posts

Information Security

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

by admin
February 2, 2023
Information Security

AWS achieves ISO 20000-1:2018 certification for 109 services

by admin
February 2, 2023
Information Security

Everything you need to know

by admin
February 2, 2023
Information Security

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

by admin
February 1, 2023
Information Security

How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager

by admin
February 1, 2023
Next Post

Initiativesofarchitecture

Recommended

Initiatetogoapproach

February 2, 2023

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

February 2, 2023

AWS achieves ISO 20000-1:2018 certification for 109 services

February 2, 2023

Everything you need to know

February 2, 2023

Influentialleadership ~ Future of CIO

February 1, 2023

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

February 1, 2023

© 2022 CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.