A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities.
The campaign has been attributed to a threat cluster dubbed GamaCopy, which is assessed to share overlaps with another hacking group named Core Werewolf, also tracked as Awaken Likho and PseudoGamaredon.
According to the Knownsec 404 Advanced Threat Intelligence team, the attacks leverage content related to military facilities as lures to drop UltraVNC, allowing threat actors to remotely access the compromised hosts.
“The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine,” the company said in a report published last week.
The disclosure arrives nearly four months after Kaspersky revealed that Russian government agencies and industrial entities have been the target of Core Werewolf, with the spear-phishing attacks paving the way for the MeshCentral platform instead of UltraVNC.
The starting point of the attack chain mirrors the one detailed by the Russian cybersecurity company wherein a self-extracting (SFX) archive file created using 7-Zip acts as a conduit to drop next-stage payloads. This includes a batch script that’s responsible for delivering UltraVNC, while also displaying a decoy PDF document.
The UltraVNC executable is given the name “OneDrivers.exe” in a likely effort to evade detection by passing it off as a binary associated with Microsoft OneDrive.
Knownsec 404 said the activity shares several similarities with Core Werewolf campaigns, including using 7z-SFX files to install and execute UltraVNC, port 443 to connect to the server, and the use of the EnableDelayedExpansion command.
“Since its exposure, this organization has frequently mimicked the TTPs used by the Gararedon organization and cleverly used open-source tools as a shield to achieve its own goals while confusing the public,” the company said.
GamaCopy is one of the many threat actors that have targeted Russian organizations in the wake of the Russo-Ukrainian war, such as Sticky Werewolf (aka PhaseShifters), Venture Wolf, and Paper Werewolf.
“Groups like PhaseShifters, PseudoGamaredon, and Fluffy Wolf stand out for their relentless phishing campaigns aimed at data theft,” Positive Technologies’ Irina Zinovkina said.