Last Updated on 03/02/2022 by Nidhi Khandelwal
Researchers stated on Monday that they discovered evidence of a Russia-linked hacking operation attempting to harm a Ukrainian organization in July 2021.
In a new analysis released Monday, Broadcom-owned Symantec blamed the attacks on an actor known as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective operating since at least 2013.
In November 2021, Ukrainian intelligence agencies labeled the organization a “special project” of Russia’s Federal Security Service (FSB), accusing it of carrying out over 5,000 cyberattacks against Ukrainian government officials and key infrastructure.
Phishing emails are commonly used in Gamaredon assaults to fool victims into installing Pterodo, a proprietary remote access trojan. The actor installed various variants of the backdoor as well as additional scripts and tools between July 14, 2021 and August 18, 2021, according to Symantec.
“The attack chain started with a malicious document, most likely sent by phishing email, that was opened by the user of the infected machine,” the researchers explained. The name of the organization that was harmed was not revealed.
The adversary used the implant to download and run an executable file that served as a dropper for a VNC client before establishing connections with a remote command-and-control server under their control at the end of July.
“This VNC client looks to be the ultimate payload for this assault,” the researchers said, adding that after the installation, they were able to examine a number of documents on the infected PC, ranging from job descriptions to confidential company information.