GamaCopy APT Group Targeting Russian-Speaking Users

Summary

Cyble Research and Intelligence Labs (CRIL) came across an article in which security researchers identified attack samples by the GamaCopy APT group targeting Russian-speaking targets. Attackers have leveraged military-themed content as bait to conduct cyberattacks, using opensource tools to obscure their operations amidst the "fog of war" created by the Russia-Ukraine conflict. This attack mimicked the tactics of the Gamaredon group, a known threat actor targeting Ukraine, and has been dubbed "GamaCopy."

Analysis and correlation of the samples reveal the following characteristics of this attack:

1. Military-related content is used as bait to initiate the attack.

2. The 7z self-extracting archive (SFX) delivers and executes subsequent payloads.

3. The open-source tool UltraVNC is utilized to facilitate further attack activities.

4. The organization’s Tactics, Techniques, and Procedures (TTPs) mimic those of the Gamaredon group, known for targeting Ukraine.

Technical Detail

The attacker shared details about the status and location of Russian armed forces facilities, with the bait document in Sample 1 being as follows:

Below is the bait document in Sample 2:

The below figure shows the content of the sample:

The second file is an SFX self-extracting installation script that contains extensive character annotations along with executable statements. Its primary function is to execute the file 2128869258671564.cmd.

2128869258671564.cmd is a batch script that utilizes setlocal enabledelayedexpansion to enable delayed variable expansion within a local scope.

The content of the script before obfuscation is as follows:

The primary functions of the script include:

1. Renaming Ki58j08O58F68M58q2.PQ87G87O97o67r27Y9 to svod.pdf and executing it.

2. Renaming yC61y51v51g71p61U4.Eb21h11U11Z31P71F8 to OneDrivers.exe.

3. Renaming lC32A32W52T12R02u1.uZ94Y64M14m54z84J3 to UltraVNC.ini.

4. Terminating any running instance of OneDrivers.exe on the host and restarting it.

In reality, the file renamed “OneDrivers.exe” is the main executable of the open-source remote desktop tool UltraVNC. By renaming it to resemble a common system process, the attackers aim to blend in and connect to a designated command server, effectively lowering the victims' suspicions.

The attack sample under analysis appears to be linked to either the Gamaredon or GamaCopy APT groups. Gamaredon group has been active since 2013 and targets Ukraine’s military, NGOs, judiciary, law enforcement, and non-profits. Their attacks often involve 7z-SFX documents and UltraVNC, typically delivered via macros and VBS scripts, and they frequently use port 5612. Whereas GamaCopy identified in June 2023, targets Russia's defense and critical infrastructure, mimicking Gamaredon's TTPs. Active since at least August 2021, GamaCopy uses 7z-SFX documents to install UltraVNC, connects via port 443, and employs delayed variable extensions to increase code complexity.

Gamaredon primarily uses Ukrainian-language bait documents, while GamaCopy uses Russianlanguage bait. Gamaredon often relies on VBS scripts and port 5612, whereas this sample uses port 443 and employs tactics consistent with GamaCopy, such as Russian-language military-related bait.

Based on overlapping tactics like the use of 7z-SFX for UltraVNC installation, port 443, and the bait content, the attack is more likely attributed to GamaCopy than Gamaredon. The use of military- sensitive bait documents in the Russia-Ukraine conflict context further aligns with GamaCopy’s targeting patterns.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

1. The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.

2. When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.

3. Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.

4. Restrict the execution of WerFaultSecure.exe to its designated location to prevent unauthorized execution from other directories.

5. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

6. Monitor the beacon on the network level to block data exfiltration by malware or TAs.

Conclusion

From the perspectives of code similarities, language usage in bait documents, and port selection, the attack samples are more likely to be attributed to the GamaCopy organization. Since its emergence, GamaCopy has consistently mimicked the TTPs of the Gamaredon group, skillfully leveraging open-source tools to achieve its objectives while creating confusion and obscuring its identity.