GamaCopy Mimics Gamaredon Tactics in Cyber Attacks Against Russia

A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The group, dubbed GamaCopy, has been launching sophisticated cyber espionage campaigns that mimic the tactics of the notorious Gamaredon group.

Researchers from Knownsec 404 Advanced Threat Intelligence team have uncovered a series of attacks that leverage content related to military facilities as lures to drop UltraVNC, a remote access tool that enables threat actors to gain unauthorized access to compromised systems. The attack chain demonstrates a complex methodology designed to evade detection and blend in with legitimate network traffic.

The campaign involves using self-extracting (SFX) 7-Zip archive files to deliver payloads, a technique commonly associated with Gamaredon's previous operations. In these attacks, the threat actors carefully craft batch scripts and use obfuscation techniques like EnableDelayedExpansion to make static analysis more challenging.

Interestingly, the UltraVNC executable is renamed to "OneDrivers.exe" in an attempt to disguise its true nature and reduce suspicion. The attackers connect to command and control servers using port 443, further camouflaging their malicious activities within what appears to be standard HTTPS traffic.

While the attacks bear significant similarities to Gamaredon's tactics, researchers note key differences. Unlike Gamaredon, which primarily uses Ukrainian-language lures, GamaCopy predominantly employs Russian-language documents. This distinction suggests the group may have different operational motivations.

The emergence of GamaCopy comes in the context of ongoing geopolitical tensions, with multiple threat actors targeting Russian organizations in the wake of the Russo-Ukrainian conflict. The group appears to be part of a broader landscape of cyber threat actors seeking to exploit the complex digital battleground.

Security experts believe GamaCopy has been active since at least August 2021, with its campaigns primarily focused on Russia's defense and critical infrastructure sectors. The group's ability to convincingly mimic another threat actor's tactics highlights the increasingly sophisticated nature of cyber espionage operations.

Organizations are advised to remain vigilant, implement robust endpoint detection mechanisms, and maintain up-to-date security protocols to protect against such advanced persistent threats.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: