The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.
"The Gamaredon group's network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload," the BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. "This kind of technique to infect target systems is new."
Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults against Ukrainian entities since at least 2013.
Last month, Palo Alto Networks Unit 42 disclosed the threat actor's unsuccessful attempts to break into an unnamed petroleum refining company within a NATO member state amid the Russo-Ukrainian war.
Attack chains mounted by the threat actor have employed legitimate Microsoft Office documents originating from Ukrainian government organizations as lures in spear-phishing emails to deliver malware capable of harvesting sensitive information.
These documents, when opened, load a malicious template from a remote source (a technique called remote template injection), effectively getting around the need to enable macros in order to breach target systems and propagate the infection.
The latest findings from BlackBerry demonstrate an evolution in the group's tactics, wherein a hard-coded Telegram channel is used to fetch the IP address of the server hosting the malware. The IP addresses are periodically rotated to fly under the radar.
To that end, the remote template is designed to fetch a VBA script, which drops a VBScript file that then connects to the IP address specified in the Telegram channel to fetch the next-stage – a PowerShell script that, in turn, reaches out to a different IP address to obtain a PHP file.
This PHP file is tasked with contacting another Telegram channel to retrieve a third IP address that contains the final payload, which is an information-stealing malware that was previously revealed by Cisco Talos in September 2022.
It's also worth pointing out that the heavily obfuscated VBA script is only delivered if the target's IP address is located in Ukraine.
"The threat group changes IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out," BlackBerry pointed out.
"The fact that the suspect IP addresses change only during Eastern European working hours strongly suggests that the threat actor works from one location, and with all probability belongs to an offensive cyber unit that deploys malicious operations against Ukraine."
The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) attributed a destructive malware attack targeting the National News Agency of Ukraine to the Russia-linked Sandworm hacking group.