Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.
ADVERSARY: Gamaredon Group
TARGETED COUNTRY: Ukraine
ATT&CK IDS: T1059 - Command and Scripting Interpreter, T1547 - Boot or Logon Autostart Execution, T1566 - Phishing, T1105 - Ingress Tool Transfer, T1546 - Event Triggered Execution, T1082 - System Information Discovery, T1113 - Screen Capture, T1140 - Deobfuscate/Decode Files or Information