GAMAREDON: AN INSIGHT INTO VICTIMOLOGY USING AUGURY

This is article is back! Please excuse the interruption. We take our analysis very seriously, and wanted to reassess in light of new information. This analysis is being re-posted unchanged and we confidently stand by our original post. Enjoy!

Author: Josh Hopkins

The Gamaredon Group is a threat actor group, believed to be aligned to Russia-state linked objectives. Community research into the group reveals a series of sophisticated attacks targeted predominantly against Ukrainian military interests, dating back to at least 2013.

In this blog we will examine two recent periods of activity – August/September 2019 and January/February 2020 – in order to provide further insight into the actions and potential victims of the Gamaredon Group.

In an attempt to protect potential victims from further damage, this blog will seek to provide a more generalized overview of activities, particularly when examining the most recent period of activity (January/February 2020).

January/February 2020

Public reporting in early to mid-January 2020 revealed current C2 infrastructure utilised by actors linked to the Gamaredon Group in phishing campaigns targeted at a Ukrainian audience, for example:

A number of hostnames, utilised in the first stage delivery of the Gamaredon Group’s malware via malicious email attachments and registered using the No-IP Dynamic DNS service, were identified:

  • dochlist.hopto[.]org
  • document-out.ddns[.]net
  • dominikanos.hopto[.]org
  • pasive.ddns[.]net
  • susget.hopto[.]org

Team Cymru’s Passive DNS data showed these hostnames resolving to 141.8.195[.]60 (WHOIS – SPRINTHOST, RU) at the time of their publication.

Team Cymru’s analysis of the Gamaredon Group’s activities identifies SPRINTHOST, RU as a favoured provider for hosting of the group’s C2 infrastructure.

Further public reporting in mid-February 2020 revealed additional Gamaredon Group infrastructure being utilised for the same purpose (first stage delivery):

Passive DNS data for the February 2020 hostnames showed them resolving to 141.8.194[.]74 (WHOIS – SPRINTHOST, RU).

Analysis of associated file samples relating to hostnames, obtained in both January and February 2020, identified the use of TCP/80 in communications with the C2. Based on these findings, Team Cymru’s NetFlow data was queried for the two IP addresses identified above, specifically focusing on inbound TCP/80 traffic.

In the case of 141.8.195[.]60, peaks in traffic were observed on 13, 17 and 31 January suggesting phishing campaigns were circulated on or around these dates. 

The move to the more recent C2 141.8.194[.]74 was also apparent, with limited inbound TCP/80 activity noted prior to 5 February – with peaks observed on this date as well as 11 and 16 February, again suggesting the circulation of phishing campaigns.

The majority of the traffic summarised in the above graph was sourced from Ukrainian hosts, although a small number of hosts assigned to providers in other countries were also observed (see below comment on threat research activity).

Note that Team Cymru’s NetFlow data is sampled to manage data volumes and as a result does not provide a 100% view of activity, however peaks in activity are still evident within this sampled dataset. We also take into account the fact that as these indicators are in the public domain, some of the observed activity may be attributable to other threat researchers/automated sandboxing activity.

August/September 2019

For this period, analysis will focus on 142.93.110[.]250 (WHOIS – DIGITAL OCEAN, US) which was identified in Team Cymru’s Passive DNS data resolving a number of hostnames attributed to the Gamaredon Group between June – September 2019:

  • armaruru.ddns[.]net
  • dropdrop.ddns[.]net
  • dropius.ddns[.]net
  • librework.ddns[.]net
  • telo-spread.ddns[.]net
  • ukraina-drp.ddns[.]net
  • usbqueshions.ddns[.]net

The above hostnames are believed to have been utilised for the purposes of post-compromise communications, i.e. a follow on stage to the initial delivery via phishing emails as described in the previous section.

It is possible that 142.93.110[.]250 was operated as a sinkhole for malicious activities not exclusive to the Gamaredon Group, this potential was taken into account when making assessments on the data provided below.

As previously, Team Cymru’s NetFlow data was queried for inbound TCP/80 traffic to the C2 (142.93.110[.]250).

Although some peaks are observable in the NetFlow data for 142.93.110[.]250, the consistency in activity is more in keeping with post-compromise beacons and is therefore to be expected in the case of this particular C2.

During the period analysed (11 August – 22 September 2019) 543 unique hosts, assigned to providers in Ukraine, were observed making connections to the C2 on TCP/80.

Connections were defined where observed TCP flags were greater than 2, suggesting that a TCP handshake was performed, and data was transferred between the potential victim hosts and the C2.

The five most frequently observed Ukrainian providers, based on WHOIS data for the 543 hosts, are summarised in the table below:

Although immediate references to the Ukrainian military were not observed in WHOIS data – either in the above table or in the wider dataset – many of the potential victim hosts were assigned to large Ukrainian ISPs offering coverage across the country, including ‘front line’ conflict areas in the East and South-East of the country.

Conclusion

This analysis has identified data to support assessments of the regularity of the Gamaredon Group’s phishing campaigns and the extent of their potential victims (over 500 unique hosts observed within a 44-day period). It also serves to provide an insight into the potential value of Augury to your organization – in identifying potential victims of malicious activity and subsequently placing this activity in a wider context.

About the Author:

Josh Hopkins is a threat analyst in the Team Cymru Threat Intelligence Group.

Comments are closed.

Up ↑

%d bloggers like this: