Cisco Talos has revealed an ongoing cyber campaign by the Gamaredon group, targeting Ukrainian users with malicious LNK files. These files, disguised as Office documents, are distributed via spear-phishing emails that reference geopolitical topics, such as troop movements and conflict zones. The attackers use these themes to lure victims into opening the files, which are embedded with a PowerShell downloader. Once executed, the downloader contacts servers in Russia and Germany to fetch a second-stage payload containing the Remcos backdoor.
The malware campaign relies on sophisticated delivery methods, including DLL sideloading to bypass traditional detection systems.
This technique allows the attackers to execute the Remcos backdoor using legitimate applications, making it difficult for antivirus programs to detect. The downloaded payload is extracted into the victim’s %TEMP% folder, where it decrypts and injects the malicious code into Explorer.exe. The Remcos backdoor then establishes communication with the attackers’ command-and-control servers, which are geo-fenced to restrict access to Ukrainian victims.
Gamaredon’s use of geo-fenced servers hosted by ISPs like GTHost and HyperHosting enables targeted attacks against specific regions. Only victims in Ukraine are able to access these servers, ensuring that the malware operation remains localized. The C2 infrastructure is carefully designed to evade detection, and metadata analysis has revealed that only two machines were involved in creating the malicious files, consistent with past Gamaredon campaigns.
These servers also contain reverse DNS records that have provided researchers with additional indicators of compromise.
The Remcos backdoor gives attackers remote control over infected systems, allowing them to exfiltrate data and manipulate targets. Cisco Talos has observed instances of clean applications being exploited for DLL sideloading, further highlighting the group’s advanced techniques. Organizations are urged to implement comprehensive endpoint protection, email security, and network monitoring to defend against such threats. Gamaredon’s persistent targeting of Ukraine emphasizes the ongoing cyber risks associated with geopolitical conflicts.
