Organizations across Russia have been targeted by the newly emergent Gama Copy threat cluster, which leverages Russian state-backed hacking operation Gamaredon's tools, in new attacks aimed at spreading UltraVNC for remote compromise, The Hacker News reports.
Intrusions by Gama Copy also closely resembled those of the advanced persistent threat operation Core Werewolf, also known as PseudoGamaredon and Awaken Likho, with both groups' utilization of 7-ZIP self-extracting archive files for UltraVNC execution, port 443 for server connections, and the EnableDelayedExpansion command, an analysis from the Knownsec 404 Advanced Threat Intelligence team revealed. "Since its exposure, [Gama Copy] has frequently mimicked the TTPs used by the Gamaredon organization and cleverly used open-source tools as a shield to achieve its own goals while confusing the public," said Knownsec 404. Such a development follows a Kaspersky report detailing Core Werewolf spear-phishing attacks against Russian entities that tapped 7z SFX for MeshCentral platform deployment.