ESET Research#ESETresearch has conducted a comprehensive technical analysis of new malicious tools and significant updates observed in 2024 in the arsenal of the Russia-aligned #Gamaredon #APTgroup targeting Ukraine🇺🇦. https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
In 2024, #Gamaredon returned to exclusively targeting Ukrainian governmental institutions, significantly increasing the size and frequency of its #spearphishing campaigns compared to previous years, as shown in the chart.
Besides spearphishing, #Gamaredon continues to use custom malware for lateral movement, weaponizing USB and now also network drives via updated versions of PteroLNK. Additionally, the new tool PteroTickle weaponizes Python apps converted to executables.
The VBScript version of PteroLNK has become the group’s most frequently updated tool. It now weaponizes network drives, hides targeted folders, and creates malicious LNK files using JavaScript executed by mshta.exe.
Gamaredon added stealthier methods to known tools. For example, PteroPSDoor now uses WMI event subscriptions and FileSystemWatcher to quietly monitor files, reducing noisy operations that could alert defenders.
The new tool PteroGraphin implements uncommon persistence via Excel add-ins, creating a hidden channel for payload delivery through Telegraph. Later, Gamaredon simplified its persistence, relying instead on scheduled tasks alone.
Another notable addition is PteroBox, a new PowerShell-based file stealer that exfiltrates files to Dropbox. It prioritizes sensitive documents, tracks exfiltrated files via MD5 hashes, and monitors USB insertions through WMI events
In 2024, Gamaredon went to great lengths to bypass network-based blocking. It increasingly hid its C&C servers behind Cloudflare tunnels and leveraged third-party DNS services, Codeberg repositories, and Telegraph posts to evade detection.
Our detailed technical analysis of the latest Gamaredon tools and techniques is available in the white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
IoCs are provided in the white paper and at https://github.com/eset/
In 2024, #Gamaredon returned to exclusively targeting Ukrainian governmental institutions, significantly increasing the size and frequency of its #spearphishing campaigns compared to previous years, as shown in the chart.
Besides spearphishing, #Gamaredon continues to use custom malware for lateral movement, weaponizing USB and now also network drives via updated versions of PteroLNK. Additionally, the new tool PteroTickle weaponizes Python apps converted to executables.
The VBScript version of PteroLNK has become the group’s most frequently updated tool. It now weaponizes network drives, hides targeted folders, and creates malicious LNK files using JavaScript executed by mshta.exe.
Gamaredon added stealthier methods to known tools. For example, PteroPSDoor now uses WMI event subscriptions and FileSystemWatcher to quietly monitor files, reducing noisy operations that could alert defenders.
The new tool PteroGraphin implements uncommon persistence via Excel add-ins, creating a hidden channel for payload delivery through Telegraph. Later, Gamaredon simplified its persistence, relying instead on scheduled tasks alone.
Another notable addition is PteroBox, a new PowerShell-based file stealer that exfiltrates files to Dropbox. It prioritizes sensitive documents, tracks exfiltrated files via MD5 hashes, and monitors USB insertions through WMI events
In 2024, Gamaredon went to great lengths to bypass network-based blocking. It increasingly hid its C&C servers behind Cloudflare tunnels and leveraged third-party DNS services, Codeberg repositories, and Telegraph posts to evade detection.
Our detailed technical analysis of the latest Gamaredon tools and techniques is available in the white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
IoCs are provided in the white paper and at https://github.com/eset/
The DefendOps Diaries
Thomas Fricke (he/his)
NetSec.news
ITSEC News