Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine

Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT.

"The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage ZIP file containing the Remcos backdoor."

The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon, which is also tracked under the monikers Aqua Blizzard, Armageddon, Blue Otso, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder.

The threat actor, assessed to be affiliated with Russia's Federal Security Service (FSB), is known for its targeting of Ukrainian organizations for espionage and data theft. It's operational since at least 2013.

The latest campaign is characterized by the distribution of Windows shortcut (LNK) files compressed inside ZIP archives, disguising them as Microsoft Office documents related to the ongoing Russo-Ukrainian war to trick recipients into opening them. It's believed these archives are sent via phishing emails.

The links to Gamaredon stem from the use of two machines that were used in creating the malicious shortcut files and which were previously utilized by the threat actor for similar purposes.

The LNK files come fitted with PowerShell code that's responsible for downloading and executing the next-stage payload cmdlet Get-Command, as well as fetching a decoy file that's displayed to the victim to keep up the ruse.

The second stage is another ZIP archive, which contains a malicious DLL to be executed via a technique referred to as DLL side-loading. The DLL is a loader that decrypts and runs the final Remcos payload from encrypted files present within the archive.

The disclosure comes as Silent Push detailed a phishing campaign that uses website lures to gather information against Russian individuals sympathetic to Ukraine. The activity is believed to be the work of either Russian Intelligence Services or a threat actor aligned with Russia.

The campaign consists of four major phishing clusters, impersonating the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps, Legion Liberty, and Hochuzhit "I Want to Live," a hotline for receiving appeals from Russian service members in Ukraine to surrender themselves to the Ukrainian Armed Forces.

The phishing pages have been found to be hosted on a bulletproof hosting provider, Nybula LLC, with the threat actors relying on Google Forms and email responses to gather personal information, including their political views, bad habits, and physical fitness, from victims.

"All the campaigns [...] observed have had similar traits and shared a common objective: collecting personal information from site-visiting victims," Silent Push said. "These phishing honeypots are likely the work of either Russian Intelligence Services or a threat actor aligned to Russian interests."