The Gamaredon group, also known as BlueAlpha, has adopted sophisticated evasion tactics to expand its cyber operations. The group, active since 2014 and linked to Russia’s Federal Security Service (FSB), has recently been observed using Cloudflare Tunnels and DNS fast-fluxing in a spear-phishing campaign targeting Ukrainian entities and NATO-aligned countries, including Bulgaria, Latvia, Lithuania, and Poland. Recorded Future’s Insikt Group has documented these attacks, emphasizing their focus on deploying GammaDrop, a Visual Basic Script (VBS)-based malware used to compromise systems and maintain persistence.
The attack chain begins with phishing emails containing HTML attachments that leverage a technique called HTML smuggling. This method embeds malicious JavaScript to drop a compressed archive containing an LNK file. When executed, the LNK file uses mshta.exe to deliver GammaDrop, a malware dropper responsible for installing a custom loader called GammaLoad. GammaLoad establishes contact with command-and-control (C2) infrastructure hidden behind Cloudflare Tunnels. These tunnels obscure the origin of the staging servers, complicating detection and blocking by traditional security measures.
Gamaredon’s toolset is extensive and aimed at exfiltrating sensitive data and propagating malware. Notable tools include PteroSteal and PteroCookie, which extract credentials and cookies from web browsers, and PteroBleed, which targets data from web versions of Telegram and WhatsApp. Additional utilities, such as PteroLNK, weaponize USB drives to propagate infections, while others provide persistence and proxy functionalities. The group also employs DNS-over-HTTPS (DoH) to resolve C2 domains and uses DNS fast-fluxing to ensure uninterrupted access even when primary servers are blocked. These techniques demonstrate a blend of simplicity and sophistication, compensating for the otherwise rudimentary nature of the group’s malware.
Cybersecurity experts highlight the challenges posed by Gamaredon’s tactics, particularly their use of legitimate services like Cloudflare to evade detection. Their frequent updates and obfuscation efforts make tracking and disrupting their operations increasingly difficult. Organizations are urged to enhance their security measures, including robust phishing protection and advanced behavioral analysis, to counter these evolving threats. For entities with limited cybersecurity resources, Gamaredon’s persistence and reliance on widely trusted services represent a significant risk that underscores the need for global vigilance against state-sponsored cyber threats.
Reference:
