Skip to content

G0047 Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word “Armageddon”, which was detected in the adversary’s early campaigns.32164

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18.74

Item Value
ID G0047
Associated Names IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157
Version 2.0
Created 31 May 2017
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
IRON TILDEN 5
Primitive Bear 8
ACTINIUM 4
Armageddon 6
Shuckworm 6
DEV-0157 4

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Gamaredon Group has registered multiple domains to facilitate payload staging and C2.48
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Gamaredon Group has used HTTP and HTTPS for C2 communications.321698
enterprise T1119 Automated Collection Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.1
enterprise T1020 Automated Exfiltration Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.219
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Gamaredon Group has used obfuscated PowerShell scripts for staging.4
enterprise T1059.003 Windows Command Shell Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group‘s backdoor malware has also been written to a batch file.3198
enterprise T1059.005 Visual Basic Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.21945
enterprise T1485 Data Destruction Gamaredon Group has used tools to delete files and folders from victims’ desktops and profiles.9
enterprise T1005 Data from Local System Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.1
enterprise T1039 Data from Network Shared Drive Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.1
enterprise T1025 Data from Removable Media A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.31
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement Gamaredon Group has left taunting images and messages on the victims’ desktops as proof of system access.9
enterprise T1140 Deobfuscate/Decode Files or Information Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.21
enterprise T1568 Dynamic Resolution Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.8
enterprise T1041 Exfiltration Over C2 Channel A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.3
enterprise T1083 File and Directory Discovery Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.18
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Gamaredon Group has used hidcon to run batch files in a hidden console window.8
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Gamaredon Group tools can delete files used during an operation.269
enterprise T1105 Ingress Tool Transfer Gamaredon Group has downloaded additional malware and tools onto a compromised host.3214
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.1
enterprise T1534 Internal Spearphishing Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Gamaredon Group has used legitimate process names to hide malware including svchosst.8
enterprise T1112 Modify Registry Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM.19
enterprise T1106 Native API Gamaredon Group malware has used CreateProcess to launch additional malicious components.1
enterprise T1027 Obfuscated Files or Information Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.16948
enterprise T1027.001 Binary Padding Gamaredon Group has obfuscated .NET executables by inserting junk code.1
enterprise T1027.004 Compile After Delivery Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.1
enterprise T1137 Office Application Startup Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group’s previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.1
enterprise T1120 Peripheral Device Discovery Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.31
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.219485
enterprise T1057 Process Discovery Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.68
enterprise T1021 Remote Services -
enterprise T1021.005 VNC Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.648
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.194
enterprise T1113 Screen Capture Gamaredon Group‘s malware can take screenshots of the compromised computer every minute.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Gamaredon Group has registered domains to stage payloads.48
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Gamaredon Group has used mshta.exe to execute malicious HTA files.6
enterprise T1218.011 Rundll32 Gamaredon Group malware has used rundll32 to launch additional malicious components.1
enterprise T1082 System Information Discovery A Gamaredon Group file stealer can gather the victim’s computer name and drive serial numbers to send to a C2 server.329
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.6
enterprise T1033 System Owner/User Discovery A Gamaredon Group file stealer can gather the victim’s username to send to a C2 server.3
enterprise T1080 Taint Shared Content Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.1
enterprise T1221 Template Injection Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.10 Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.219485
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.2169485
enterprise T1102 Web Service Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group’s .NET executable on the compromised system.1
enterprise T1047 Windows Management Instrumentation Gamaredon Group has used WMI to execute scripts used for discovery.9

Software

ID Name References Techniques
S0097 Ping 6 Remote System Discovery
S0685 PowerPunch - PowerShell:Command and Scripting Interpreter Environmental Keying:Execution Guardrails Ingress Tool Transfer Obfuscated Files or Information
S0147 Pteranodon - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal on Host Ingress Tool Transfer Native API Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Screen Capture Rundll32:System Binary Proxy Execution Mshta:System Binary Proxy Execution Virtualization/Sandbox Evasion
S0686 QuietSieve - Web Protocols:Application Layer Protocol Data from Local System File and Directory Discovery Hidden Window:Hide Artifacts Ingress Tool Transfer Network Share Discovery Peripheral Device Discovery Screen Capture Internet Connection Discovery:System Network Configuration Discovery

References


  1. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  2. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  3. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  4. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  5. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022. 

  6. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  7. Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022. 

  8. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  9. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  10. Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021. 

Back to top