The Russian threat actor Gamaredon is targeting Ukrainians with spear-phishing documents related to troop movements, according to researchers at Cisco Talos.
“The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique,” the researchers write.
“The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.
Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing emails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.”
Once opened, the files will install the Remcos malware in the background. The themes are designed to trick users into opening the document quickly without stopping to think.
“The translation for these names shows the intent of this campaign in using a war-related theme,” Talos explains. “We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. These files contain metadata indicating only two machines were used in creating the malicious shortcut files.
As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Cisco Talos has the story.
