Previously unknown actor threats were noticed by copying the trade associated with the Kremlin Homoredon A hacker group in their cyberattacks aimed at Russian -speaking objects.
The company was attributed to the cluster threats dubbed Gamacopywhich is estimated to match another Hackers Group Core WerewolfAlso tracked both Awaken Likho and Pseudogamredon.
According to the KnownSec 404 Advanced Threat Intelligence team, the attacks use the contents associated with military facilities as a Ultravnc’s deployment, which allows the threat to the subjects to obtain distant access to hacked knots.
“TTPs (tactics, methods and procedures) of this organization imitates the tactics of the Homoredon organization, which is attacking Ukraine,” the company said. said in a report published last week.
The disclosure of information comes almost four months after Caspersorski found that Russian state institutions and industrial organizations became the target of Core Werewolf, with phishing attacks opening the way for the MeshCentral platform instead of Ultravnc.
The starting point of the attack chain reflects the one described in detail by the Russian cybersecurity company, in which the self-proclaim (SFX) archive file created using 7-ZIP acts as a channel for resetting useful loads of the next stage. This includes a batch script, which is responsible for the shipping Ultravnc while displaying the deceived PDF document.
The executed Ultravnc file was called “OneDRIVERS.exe”, probably to avoid detecting by issuing it behind the binary file associated with Microsoft OneDrive.
Knownsec 404 said this activity has several similarities with Core Werewolf companies, including the use of 7Z-SFX files to install and execute Ultravnc, Port 443 to connect to the server and use Team EnableLayeEDExpansion.
“Since its opening, this organization has often imitated TTP used by Gararedon, and deftly used open source tools as a shield to achieve its own goals while confusing the public,” the company said.
Gamacopy – one of Many participants of the threat aimed at Russian organizations after the Russo-Ukrainian War such as Sticky Werewolf (aka Pheasant), Venture wolf and paper werewolf.
“Groups such as Phaseshifters, Pseudogamredon and A fluffy wolf They stand out with their relentless phishing campaigns aimed at stealing data, ”Irina Zinovina from Positive Technologies. said.
