December 21, 2022

According to new Unit42 research, a hacking group known as Gamaredon APT, which the Ukrainian government claims is a unit of Russian intelligence, attempted to compromise a large petroleum refining company based inside a NATO member earlier this year.

Unit 42 claims that on August 30, a failed attempt to compromise a large petroleum refining company within a NATO member nation was launched using numerous changes in their tactics, techniques, and procedures (TTPs). Immediately after the initial invasion, an individual who appears to be associated with Trident Ursa threatened to harm a cybersecurity researcher based in Ukraine.

Since the beginning of the invasion, Unit 42 researchers have discovered over 500 new domains and 200 malware samples associated with Gamaredon APT. It was also stated that the Gamaredon group used the fast flux DNS technique to increase the resilience of the infrastructure against law enforcement takedown and to perform hard denylisting of the IP addresses associated with it.

The Ukrainian assessment and the Unit 42 report both agree that the group heavily relies on phishing as a malware vector. It spreads by tricking users into opening attached HTML files, clicking on a seemingly harmless link, or opening a Word document.

When Unit 42 examined a phishing sample with a low detection rate on VirusTotal, it discovered that the Word attachment itself contained no malicious code. It instead downloaded a remote template containing a macro, which then executed malicious code.

The sources for this piece include an article in TheHackerNews.