Skip to main content

Gamaredon Group - New Toolset

Security researchers have discovered that the Gameredon Group are using a new, custom developed toolset rather than commercial-off-the-shelf (COTS) products.
Threat ID:
CC-1264
Category:
Spyware
Threat Severity:
Low
Threat Vector:
Email spam, Hacking tool
Published:
16 March 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have discovered that the Gameredon Group are using a new, custom developed toolset rather than commercial-off-the-shelf (COTS) products.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Windows All Versions

Threat details

The Gameredon Group are an Advanced Persistent Threat (APT) group, which targets mainly Ukrainian government and military organisations.

The group is known to use Top Level Domains such as; .ru and .ua which belong to Russia and Ukraine respectively and use compromised domains and dynamic DNS to distribute their malware. They use phishing emails to trick users into downloading self-extracting zip files which download tools and send information to the Command and control (C2) servers.

Capabilities of the custom toolset include; capturing screenshots, downloading and executing additional binaries and executing commands on the victim’s system. Many of the malicious binaries which have been identified have a very low detection rate by anti-virus vendors, making it all the more important to follow good security hygiene practices.

Remediation steps

Type Step
  • Monitor network and proxy logs for indications of compromise.
  • Make sure that cyber-awareness training is kept up-to-date.
  • Make sure that malware signatures are kept up-to-date.
  • Never open email attachments or links in emails from untrusted sources.

Last edited: 17 February 2020 11:31 am