Ddos 
A recent report from the Knownsec 404 Advanced Threat Intelligence team reveals the emergence of GamaCopy, a cyber espionage group mimicking the notorious Gamaredon APT. GamaCopy employs military-themed bait to conduct attacks on Russian defense and critical infrastructure sectors.
GamaCopy’s operations leverage military-related documents as bait to entice victims. These documents, embedded in 7z self-extracting (SFX) archives, deliver payloads using obfuscated scripts. According to the report, “The attacker provided information about the condition and location of Russian armed forces facilities” making the bait highly relevant and enticing to their targets.
The group also exploits UltraVNC, an open-source remote desktop tool, renaming its executable to blend in with common system processes. This tactic reduces detection and suspicion among victims. As the researchers note, attackers rename UltraVNC as a common process name in the system, connecting it to a specified command server to disguise their activities.
GamaCopy’s tactics, techniques, and procedures (TTPs) closely resemble those of Gamaredon, a long-established Russian APT targeting Ukraine. However, the report highlights key differences that distinguish GamaCopy:
- Language in Bait Documents: Gamaredon predominantly uses Ukrainian-language bait, while GamaCopy employs Russian-language materials, aligning with its focus on Russian targets.
- Port Usage: GamaCopy’s attacks utilize port 443, compared to Gamaredon’s preference for port 5612.
- Attack Chain Variations: While both groups use UltraVNC, GamaCopy employs fewer macros and VBS scripts in its payload delivery.
The report emphasizes, GamaCopy cleverly uses open-source tools as a shield to achieve its goals while confusing attribution, demonstrating a successful false flag operation.
First identified in June 2023, GamaCopy has likely been active since at least August 2021. The group’s campaigns focus on exploiting Russian-speaking targets, particularly in defense and government sectors. The Knownsec team has linked GamaCopy’s operations to Core Werewolf, a threat actor known for its anti-Russia campaigns.
By leveraging tools like UltraVNC, GamaCopy minimizes its footprint and complicates detection efforts. The group also obfuscates its attack scripts using delayed variable extensions, increasing the complexity of static analysis. The report states, “the attackers used the content related to military facilities as bait to launch attacks using open source tools, which undoubtedly wanted to hide themselves through the ‘fog of war’.”
Related Posts:
- Gamaredon APT Deploys Two Russian Android Spyware Families: BoneSpy and PlainGnome
- Palo Alto Networks: Patchwork hacker group is targeting the Indian Subcontinent
- G Data Uncovers Stealthy Malware: Agent Tesla Targets Sensitive Data in Email and Browsers
- Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
Donate