##### ESET Research white papers # Cyberespionage the Gamaredon way: ## Analysis of toolset used to spy on Ukraine in 2022 and 2023 ##### 26 September, 2024 ----- ### TABLE OF CONTENTS EXECUTIVE SUMMARY ................................................................................................................................................ 1 OVERVIEW ..................................................................................................................................................................... 2 Victimology ......................................................................................................................................................................... 4 Attribution .......................................................................................................................................................................... 4 TECHNICAL ANALYSIS ................................................................................................................................................. 4 Initial access ....................................................................................................................................................................... 4 Toolset ................................................................................................................................................................................. 7 Obfuscation ...................................................................................................................................................................... 34 NETWORK INFRASTRUCTURE ................................................................................................................................. 38 Bypassing domain-based blocking............................................................................................................................. 38 CONCLUSION .............................................................................................................................................................. 38 IOCS ............................................................................................................................................................................... 39 Files ..................................................................................................................................................................................... 39 Network ............................................................................................................................................................................. 43 MITRE ATT&CK TECHNIQUES .................................................................................................................................. 47 Author: Zoltán Rusnák ----- ### EXECUTIVE SUMMARY In this white paper, we provide a comprehensive technical analysis of the toolset used by the Gamaredon advanced persistent threat (APT) group to conduct its cyberespionage activities in 2022 [and 2023, or since the war in Ukraine escalated in February 2022. This Russia-aligned group](https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/) has been active since at least 2013 and is currently the most active threat actor in Ukraine, focusing mainly on [the country’s governmental institutions, as evidenced over time by ESET telemetry, in several reports](https://www.rnbo.gov.ua/en/Diialnist/4823.html) from CERT-UA, and from other official Ukrainian bodies. [Gamaredon has been attributed by the Security Service of Ukraine (SSU)](https://ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy) to the 18[th] Center of Information [Security of the FSB, operating out of occupied Crimea. We believe this group to be collaborating with](https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/) another threat actor that we discovered and named InvisiMole. We analyzed thousands of samples and share details about Gamaredon’s ever-changing obfuscation tricks and numerous techniques used for bypassing domain-based blocking. These tactics pose a significant challenge to tracking efforts, as they make it harder for systems to automatically detect and block the group’s tools. Nevertheless, during our research, we managed to identify and understand these tactics, and keep track of Gamaredon’s activities. Key findings: - The majority of Gamaredon’s attacks are directed against Ukrainian governmental institutions, but we also saw a few attempts to compromise targets in several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland. - To compromise new victims, Gamaredon conducts spearphishing campaigns and uses its custom malware to weaponize the victim’s Word documents and USB drives that are expected to be shared among potential new victims. - Gamaredon’s toolset mainly includes custom-made malware written in PowerShell, VBScript, and C, but also a few open-source tools. - We analyzed thousands of samples and provide a description of the most actively used tools including their evolution, and a few examples of typical obfuscation applied to them. - We share our observations about Gamaredon’s network infrastructure and its methods of bypassing domain-based blocking. ### OVERVIEW Since July 2021, we have been periodically documenting the most relevant Gamaredon activities in [public ESET APT Activity Reports, and in private ESET Threat Intelligence Reports available to selected](https://www.eset.com/int/business/services/threat-intelligence/) customers. In this white paper, we provide an in-depth analysis of the tools that are the most prevalent, or interesting in some other way, in order to shed more light on the relationships that exist among the tools and to help create a bigger picture of the tools’ ecosystem. For many years, since its first appearance around 2013, Gamaredon focused all its resources exclusively on compromising targets in Ukraine. To our surprise, in April 2022 and February 2023, we observed two spearphishing campaigns in which the group targeted governmental institutions in several NATO countries. To our knowledge, no successful breaches occurred, and Gamaredon has since returned its focus solely to Ukraine. According to our long-term observations, Gamaredon, unlike most APT groups, does not try to be stealthy and remain hidden as long as possible by using novel techniques when conducting cyberespionage operations, but rather the operators are reckless and do not mind being discovered by defenders during their operations. Even though they do not care so much about being noisy, they apparently put in a lot of effort to avoid being blocked by security products and try very hard to maintain access to compromised systems. Typically, Gamaredon attempts to preserve its access by ----- deploying multiple simple downloaders or backdoors simultaneously. The lack of sophistication of Gamaredon tools is compensated by frequent updates and use of regularly changing obfuscation. In the past, Gamaredon used numerous downloaders and various tools to move laterally within infiltrated systems. Its ultimate payload was a file stealer, whose main goal was to look for files with specific file extensions and exfiltrate them to the command and control (C&C) server. These tools were written mostly in C, VBScript, and .NET, and many of them were deployed packed in self-extracting (SFX) archives. In 2022, the trend slowly started to shift towards the use of VBScript and PowerShell in tandem, and Gamaredon almost completely ditched the use of SFX archives. During 2023, Gamaredon notably improved its cyberespionage capabilities and developed several new tools in PowerShell, with a focus on stealing valuable data, for example from web applications running inside internet browsers, email clients, and instant messaging applications such as Signal and Telegram. The timeline of new tools deployed in 2022 and 2023 is shown in Figure 1. Except for PteroScreen, all of the tools shown in that figure were discovered by ESET Research. Figure 1. Timeline of new tools added to Gamaredon’s arsenal ----- In May 2022, we noticed that Gamaredon started investing lots of time into testing and applying a variety of techniques to thwart domain-based blocking. More specifically, Gamaredon stopped relying solely on registering dozens of new C&C domains and started leveraging services provided by third parties like Telegram and Cloudflare. #### Victimology Gamaredon mainly focuses on compromising various governmental institutions in Ukraine. However, we have seen two spearphishing campaigns, one in April 2022 and the other in February 2023, targeting several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland. Between November 1[st], 2022 and December 31[st], 2023, we observed more than a thousand unique machines in Ukraine that were attacked by Gamaredon. The seven-day moving average of daily additions is visualized in Figure 2. Figure 2. Seven-day moving average of unique machines attacked in Ukraine #### Attribution We attribute with high confidence all activities mentioned in this white paper to Gamaredon, based on our ongoing tracking of its actions and our file and network-based detections. Unique obfuscation types used in Gamaredon’s tools, which we have partially documented in the Obfuscation section, and its consistent targeting further support our attribution. Moreover, most of our findings align with _reports published independently by CERT-UA._ ### TECHNICAL ANALYSIS #### Initial access To compromise new targets, Gamaredon relies on three distinct methods of initial access: spearphishing emails, weaponized Word documents, and weaponized USB drives. The group directly conducts spearphishing, while the other methods are more automated and driven by the tools it deploys on previously compromised systems, to move laterally within or outside of a compromised ----- organization. These two methods are described rather briefly in this section, because they are examined in detail in the respective sections covering the tools involved. Spearphishing campaigns A typical Gamaredon spearphishing campaign employs a spearphishing email with a malicious attachment that contains either a LNK or an HTA file that is served to a potential victim. The files from email attachments download the next stage, which is usually a VBScript downloader. No exploits are used, so targets must open the LNK or HTA files to get compromised. Throughout 2022 and early 2023, we saw Gamaredon using various types of archives (RAR, ZIP, 7z, TAR), each delivered as an attachment that contained a directory with a single LNK file. When opened, these LNK files launched the mshta.exe process with a URL as an argument. As shown in Figure 3, the URL points to a remote HTA file. We were not able to obtain these remote HTA files; therefore, we can only speculate that they contained a VBScript downloader as in other cases that we observed subsequently. Figure 3. An example of the target of a LNK file from a Gamaredon spearphishing campaign In early 2023, Gamaredon started using a new tactic in some of its spearphishing campaigns, replacing LNK files with HTA files in attached archives. As shown in Figure 4, this HTA file contained a short VBScript that launched mshta.exe with a URL as an argument to download another HTA file. This second HTA file contained a VBScript downloader – PteroSand – that could deliver additional payloads. ----- Figure 4. An example HTA file from a Gamaredon spearphishing campaign Later, around April 2023, the tactics, techniques, and procedures (TTPs) of Gamaredon’s spearphishing [campaigns changed once again, using HTML smuggling](https://attack.mitre.org/techniques/T1027/006/) to deliver a malicious HTA file via an HTML email attachment. Upon opening, the HTML document displays a dialog for downloading the archive, but the archive is in fact base64 encoded and embedded in the JavaScript code contained in the HTML attachment, so no download is necessary. Figure 5 shows an example of such JavaScript code with an embedded archive. The HTA file from the embedded archive launches mshta.exe, which in turn downloads and executes another HTA file that contains PteroSand. Interestingly, Gamaredon again did not switch instantly to this new tactic, but rather used it simultaneously with the previous one for a short time. Figure 5. An example of the JavaScript code with an embedded base64-encoded archive marked in red ----- Weaponized Word documents Gamaredon also compromises new targets using the victim’s Word documents, weaponized by either _PteroDoc or PteroTemplate. These documents then download a malicious remote template that delivers_ _PteroDash, which can download additional payloads to a newly compromised system._ PteroDoc, when deployed to an already compromised system, weaponizes all Word documents on a system by adding a malicious remote template reference, anticipating these documents may be shared with other potential victims within or even outside of a compromised organization. PteroTemplate weaponizes the default Word template (Normal.dotm) on a compromised system by injecting a malicious VBA macro. This action weaponizes all new and existing documents based on the default template. The injected macro, activated when documents are closed, attaches a reference to a malicious remote template. Then, whenever the weaponized documents are opened, the malicious remote template will be downloaded. Interestingly enough, the act of attaching a new template alters the document. Therefore, despite saving such a document immediately before closing it, for example by pressing Ctrl + S, the Save dialog window will pop up every time and the document needs to be saved again by the victim. Weaponized USB drives The last method used by Gamaredon involves USB drives, weaponizing all drives connected to a compromised system with VBScript or PowerShell versions of PteroLNK. Both tools, when deployed on a system, repeatedly attempt to detect connected USB drives, in order to drop LNK files and in some cases also a copy of PteroLNK onto them. LNK files are created with conspicuous filenames in English and Ukrainian (e.g., pornography, Login_Password, мoбілізaція (translation: mobilization), записи_розмов (translation: conversation_records)), probably to entice potential victims into opening them. Clicking on a LNK file can, depending on the particular PteroLNK version that created it, either directly retrieve the next stage from a C&C server, or execute a PteroLNK copy to download additional payloads. As in the case of weaponized documents, the goal is to facilitate lateral movement within or outside of a compromised organization through victims sharing these weaponized USB drives. #### Toolset Gamaredon uses numerous tools, which we have broken down into the following categories: downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools. In Table 1, we summarize all tools contained in this section and provide basic information for each of them. Note that we deliberately omitted all dedicated downloaders, since we did not assign particular names to them, and they are used by Gamaredon only for deploying specific tools already present in the table. Table 1. Summary of tools used by Gamaredon Tool Category Written in Description PteroPSLoad Downloader PowerShell Downloads various payloads. PteroX Downloader VBScript Downloads various payloads. PteroSand Downloader VBScript Downloads various payloads. ----- Tool Category Written in Description PteroDash Downloader VBScript Downloads various payloads. PteroRisk Downloader VBScript Downloads various payloads. PteroCDrop Dropper C Drops various VBScript payloads. VBScript PteroLNK Weaponizer Weaponizes connected USB drives. PowerShell PteroDoc Weaponizer VBScript Weaponizes Word documents. PteroTemplate Weaponizer VBScript Weaponizes Word templates. PteroDig Weaponizer PowerShell Weaponizes LNK files. PteroPSDoor Stealer PowerShell Exfiltrates specific files from the file system. PteroVDoor Stealer VBScript Exfiltrates specific files from the file system. PteroScreen Stealer PowerShell Captures and exfiltrates screenshots. PteroSteal Stealer PowerShell Exfiltrates credentials stored by browsers. PteroCookie Stealer PowerShell Exfiltrates cookies stored by browsers. PteroSig Stealer PowerShell Exfiltrates data stored by the Signal application. PteroGram Stealer PowerShell Exfiltrates data stored by the Telegram application. PteroBleed Stealer PowerShell Exfiltrates data stored by specific web applications. PteroScout Stealer PowerShell Exfiltrates various system information. PteroPShell Backdoor PowerShell Serves as a remote shell. PteroSocks Ad hoc PowerShell Serves as a reverse SOCKS proxy. PteroClone Ad hoc PowerShell Delivers payloads using the rclone utility. PteroPowder Ad hoc C Downloads additional payloads. ReVBShell Ad hoc VBScript Serves as a remote shell. ----- Downloaders Based on our observations, Gamaredon’s downloaders fall into two categories: general-purpose and dedicated. Typically, a general-purpose downloader fetches a dedicated downloader, which then delivers the final payload. However, exceptions exist where a general-purpose downloader delivers another general-purpose downloader or deploys a final payload directly. Although the procedure can vary over time, the simplified scheme illustrated in Figure 6 is accurate in most cases. Figure 6. A simplified download scheme ----- _General-purpose downloaders_ We recognize eight types of general-purpose downloaders: five standalone and three built-in. Standalone downloaders primarily deliver payloads, whereas built-in downloaders have other primary capabilities but can also deliver payloads. PteroPSLoad PteroPSLoad is a downloader written in PowerShell that we discovered in October 2021. After it is deployed, it remains persistent on compromised systems and can deliver various payloads. We’ve identified 11 versions, distinguished by their unique URI for fetching payloads from their C&C servers. The main goal of all versions is just to deploy other payloads and, in some cases, set up its own persistence, which at the same time serves as its update procedure. The versions of PteroPSLoad differ in persistence mechanisms they leverage and in the ways of obtaining IP addresses of the C&C servers, but there is one thing they all have in common – the way that they handle responses from their C&C servers. Each can receive and parse at least two out of three payload types: a URL to an encrypted PE file, a PowerShell command, and an encrypted VBScript file. The downloader decides how to process the payload based on the contents of a response retrieved from the C&C server. Payload parsing has evolved over time, so it may vary slightly for particular versions but it typically follows this pattern: - If the response starts with http, PteroPSLoad fetches and decrypts an encrypted PE file from the URL, dropping it to %TEMP% with a random filename and .exe extension, and launches it. - If the response body starts with the ! character, a PowerShell command follows this character, which PteroPSLoad executes via Invoke-Expression. - If neither clue is present, the payload is treated as a custom-encrypted VBScript, decrypted by PteroPSLoad and executed within a PowerShell process using an instance of the ``` MSScriptControl.ScriptControl.1 COM object. ``` Both the PE file and the VBScript are encrypted with an XOR cipher, with the system drive’s volume serial number as the XOR key. This number is uploaded to the C&C server in the HTTP POST request issued in order to receive the payload. Table 2 summarizes the payload each PteroPSLoad version can download, including the built-in general-purpose downloaders described later in the Built-in _downloaders section, because they handle downloaded payloads identically to PteroPSLoad._ Table 2. Types of payloads that various versions of PteroPSLoad and built-in downloaders can receive URL leading to a PE file PowerShell command Encrypted VBScript PteroPSLoad ps.php ``` 224B18E531E511CEA2849D9A3B9CF5AD502AFECC ``` PteroPSLoad pst.php ``` 6D694B73A2C497F16EB9B5CCA883658397FFBEDF ``` PteroPSLoad put.php ``` B08305C557692619B9D0EAF5B58A8B91858CF4D5 ``` PteroPSLoad past.php ``` 28F4F0367C2BB0574C8A7D1B9C3E71E6AC678300 ``` ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ----- URL leading to a PE file PowerShell command Encrypted VBScript PteroPSLoad time.php ``` 13BA279D8602FEE7CEDE152B6A9148CD9D2F6662 ``` PteroPSLoad slot.php ``` B99D4724077B0A2CBEEE38332C05F3D4171C9DCC ``` PteroPSLoad index.php ``` 025E3D88C53FC12D5A4AAB726E696F2815BAC84D ``` PteroPSLoad new.php ``` D5576E578518E474A5DFF654C44AB3EC4A6E4ECF ``` PteroPSLoad post.php ``` E0BD8855159CB708789C4DE183E107C5C117FBA1 ``` PteroPSLoad account.php ``` 4F915541291120AA100123C1C93FA7DE78F46A3F ``` PteroPSLoad power.php ``` 9E30DFFDB88DD3ADFAB4CD5C67A98336C4BF9504 ``` PteroDig ``` 1AEAE7A567C71200BA804801C4CEC227D2B64414 ``` PteroScreen ``` BA2366ED4E83FFC6DEC489C9011FE181CE169A47 ``` PteroLNK ``` 49CF239AB2EBD04CAFDCEC07FBB0C1C1A43E8C02 ``` ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ The following sections, named after the URIs used in the individual versions, focus on relevant changes made in particular versions of PteroPSLoad, primarily highlighting the evolution of the persistence mechanism and the communication protocol. The sections, except for the last one, are ordered chronologically, with the oldest known version first. The last section is dedicated to a version of PteroPSLoad that is somewhat special, because in the past it was used for a slightly different purpose than the rest. The first seven versions (ps.php, pst.php, put.php, past.php, time.php, slot.php, and index.php) exhibit similar behavior with some differences and changes in each version. These versions resolve the C&C IP address, ensure the persistence of the downloaded update, and periodically poll the C&C server for payloads. Changes in these versions mostly pertain to the persistence mechanism, the way of obtaining the C&C IP address, and the frequency of connections to the C&C server. The subsequent three versions (new.php, post.php, and account.php) and the special version (power.php) contain major changes and their behavior is fully described in their respective sections. Note that in some sections, we briefly describe modifications of the communication protocol, but we provide more details on this matter in one place, in the Network infrastructure section. ----- Firstly, PteroPSLoad resolves the C&C server’s IP address from the hardcoded domain by querying the default system DNS. Secondly, it uses that IP address to send an HTTP GET request with the /get.php URI to its C&C server to fetch its updated version. Thirdly, it ensures the persistence of the downloaded update by creating an HKCU Run value that will execute it upon every system start, serving as both an update and persistence mechanism. Finally, PteroPSLoad enters an infinite loop, in which it regularly – approximately every five minutes – polls its C&C server to see whether there is a new payload to receive, parse, and execute. Each HTTP POST request includes the compromised system’s computer name and volume serial number for improved victim identification. ##### new.php The PteroPSLoad persistence mechanism was significantly reworked in this version. To be stealthier, PteroPSLoad attempts to hide itself in the registry. First, it stores the orchestrator – a short PowerShell script that loads other parts of PteroPSLoad – in the environment variable Include. Second, it stores the relevant parts of the downloader script in the registry values: ip, update, Decoder, serialNumber, ``` save, http, responces [sic], Collection, and execute; under HKCU\Printers. Finally, to achieve ``` persistence, it adds an UpdateService entry under ``` HKCU\Software\Microsoft\Windows\CurrentVersion\Run, which contains a short PowerShell ``` command that reads the environment variable Include and executes its contents via Invoke``` Expression. Upon execution, the orchestrator reads the parts of the PteroPSLoad script from the ``` aforementioned registry values and executes them. Strangely, PteroPSLoad only installs itself, but does not start running immediately; previous versions do so. In fact, this action was moved to its dedicated downloader, which, after the installation, reads the orchestrator from the Include environment variable and executes it via Invoke-Expression. We saw these combinations for obtaining the C&C IP address: - A Telegram channel as a primary option and a hardcoded domain as a fallback. - A post published on the Telegram publishing platform telegra.ph as a primary option, a Telegram channel as a secondary option, and a hardcoded domain as a fallback. - A post published on telegra.ph as a primary option and a Telegram channel as a fallback. In this version, an added feature stores the IP address in a file in %TEMP% once successfully obtained, used as the primary communication method with the C&C server. This may maintain system access if all IP address-obtaining methods are blocked on restart. For instance, when the system is restarted and simultaneously all methods of obtaining the C&C IP address have been blocked, PteroPSLoad is still able to communicate with its C&C server and update itself. Unlike the previous two versions of PteroPSLoad, this one does not include the full path to the current working directory in the data exfiltrated to its C&C server, but uploads the contents of the ``` PROCESSOR_IDENTIFIER environment variable along with the computer name and volume serial ``` number. This version can receive all three payload types: a URL leading to an encrypted PE file, a PowerShell command, or an encrypted VBScript file. ##### post.php In all previous versions before this one, which we first saw on August 4[th], 2023, almost all variables were not obfuscated and had genuine names; now all the names of variables present in the script are randomly generated for each instance of PteroPSLoad. The persistence mechanism is similar to the previous version, with two changes: the orchestrator is now stored in the registry value under the HKCU Run key, and other relevant parts of the downloader script remain under HKCU\Printers, but their names are randomly generated. ----- Surprisingly, the update mechanism was completely removed from this version of PteroPSLoad. Regarding the communication protocol, two significant changes were made. The first one is that a new method of obtaining the IP address of the C&C server was added. PteroPSLoad now leverages a DNS over-HTTPS (DoH) service provided by Cloudflare. To get the IP address, it sends an HTTP GET request to https://cloudflare-dns.com/dns-query?name= with the Accept HTTP header set to ``` application/dns-json, where is the C&C domain that is hardcoded in the sample. ``` So, this version of PteroPSLoad sequentially attempts to obtain its C&C IP address via three separate third-party services: - a Telegram channel, - the Telegram publishing platform telegra.ph, and - the Cloudflare DoH service. If all of these attempts fail, as a fallback, it resolves the IP address from the hardcoded C&C domain by querying the default system DNS. The other significant change in network communication is that on systems where the major OS version is greater than 8 – currently Windows 10 and 11 – PteroPSLoad leverages the built-in and well-known [utility curl](https://curl.se/) for sending HTTP requests when attempting to obtain the C&C IP address via the aforementioned three services. Making outbound connections from curl.exe may appear less suspicious than making them directly from PowerShell. Upon successful IP address retrieval, it’s stored in a randomly named file in %LOCALAPPDATA%\Logic\, not %TEMP%. Like the previous version, it exfiltrates the computer name, volume serial number, and the contents of the PROCESSOR_IDENTIFIER environment variable, accepting all three payload types: a URL leading to an encrypted PE file, a PowerShell command, or an encrypted VBScript file. While this version was being used actively, we discovered a few instances that downloaded the latest [release of Cloudflare Tunnel client from a GitHub repository and stored it as](https://github.com/cloudflare/cloudflared) ``` %LOCALAPPDATA%\Logic\cloudflared.exe. It is a legitimate command line application used for ``` proxying network traffic via the Cloudflare network from the internet to an arbitrary destination. The intended use is to run this utility in a private network to expose a server (without a publicly routable IP address) to the Internet. However, Gamaredon uses it to create a tunnel to its C&C server from the same computer as the instance of PteroPSLoad itself is running. To create the tunnel, PteroPSLoad runs the tool with the command line option --url ``` http://:80. PteroPSLoad attempts to obtain from Telegram or to resolve ``` it via Cloudflare’s DoH – for Windows versions prior to v.10, this is done directly via HTTP requests originating from powershell.exe; for Windows 10 and 11, curl.exe is used instead. If that fails, an attempt is made to resolve the IP address from the hardcoded domain. Then cloudflared.exe establishes a connection to the Cloudflare network and generates a domain in the format ``` .trycloudflare.com, where is randomly generated. This domain is used by ``` PteroPSLoad to reach its C&C server. When PteroPSLoad connects to this domain, cloudflared.exe is notified by the Cloudflare network to relay the request to the target server from the previous command line argument and, upon receiving the response, cloudflared.exe sends it back to the Cloudflare network, which subsequently forwards it to PteroPSLoad. Notably, Gamaredon only uses the free tier of this service. As a result of using the tunnel, the network connection to the C&C server is not conducted directly by ``` powershell.exe and the HTTP request sent by cloudflared.exe to the C&C server does not contain ``` the destination IP address in the Host HTTP header. Therefore, by using this technique, Gamaredon might be able to evade some detection/blocking mechanisms. ----- This whole functionality was later removed from PteroPSLoad. ##### account.php This version, in comparison to the previous one, contains two notable changes. The first in the persistence mechanism used, and the second in the way that it communicates with its C&C server. Persistence is ensured by dropping a small PowerShell loader with a randomly generated filename to ``` %ALLUSERSPROFILE% and scheduling it to run every three minutes. The relevant parts of the downloader ``` script are randomly named registry values under HKCU\Printers. Upon execution, the loader reads and executes the function from one of the registry values, which in turn reads and executes other code parts from the corresponding registry values. In this version – unlike a few previous samples where Gamaredon tested the Cloudflare Tunnel client – [PteroPSLoad attempts to reach its C&C server via the ngrok tunnel, established by the ngrok utility on a](https://ngrok.com/product/secure-tunnels) Gamaredon-controlled computer. As in the Cloudflare case, Gamaredon uses just the free tier of the service provided by ngrok. First, PteroPSLoad tries to obtain the ngrok utility-generated domain posted on telegra.ph using ``` curl.exe on Windows 10 and 11. If this attempt is unsuccessful, it tries to utilize nslookup.exe to query ``` Google’s 8.8.8.8 DNS server for a DNS TXT record of the hardcoded C&C domain, which contains the ngrok-generated domain. If PteroPSLoad succeeds in getting the ngrok domain, it uses this domain to communicate with the C&C server via the ngrok tunnel. As a fallback, if the two previous attempts fail, it resolves the IP address from the hardcoded C&C domain by querying the default system DNS for an A record and uses the IP address to communicate directly with the C&C server. The obtained C&C IP address is stored in a randomly named file in ``` %LOCALAPPDATA%\Microsoft\Windows\Caches\. ``` Like the previous version, it exfiltrates the computer name, volume serial number, and the ``` PROCESSOR_IDENTIFIER environment variable contents, and can accept all three payload types: a URL ``` leading to an encrypted PE file, a PowerShell command, or an encrypted VBScript file. ##### power.php This PteroPSLoad version, unique for being downloaded and deployed only by the first known PowerShell version of PteroLNK, is simplified and doesn’t use any persistence or update mechanism due to PteroLNK’s ability to fetch and deploy a fresh PteroPSLoad instance when needed. Because PteroLNK lacked integrated download functionality, it relied on a standalone downloader to deliver payloads. Notably, it doesn’t contain a C&C server; the C&C IP address is provided by PteroLNK before execution by replacing a placeholder with the IP address from which PteroPSLoad was downloaded. It exfiltrates the computer name, volume serial number, and %OS% environment variable contents, accepting two payload types: a PowerShell command, or an encrypted VBScript file. PteroX PteroX (SHA-1: DF1C0A70E7A02B839AB3AAC3FC410E61EEFB58EB) is written in VBScript and consists of two components that are wrapped in the original VBScript sample – a scheduler and a downloader. The scheduler executes first, base64 decodes the downloader, and drops it into %USERPROFILE% or a new directory within it. It then schedules the downloader to run every few minutes, and finally runs the dropped downloader script. The downloader sends an HTTP POST request with the volume serial number of the system drive and the computer name to the C&C server, receiving an encrypted payload saved as a .txt file in the ``` %APPDATA% or %PUBLIC% directory. ``` ----- The payload, a PE file XOR encrypted with a system-specific key (the volume serial number previously sent to the C&C server), is decrypted and dropped into the same directory with a .exe extension. The payload is not executed right after it has been downloaded, but by the downloader on its next run before attempting to download another payload. The payload is not made persistent; it is just executed once and then deleted by the downloader. Basically, the downloader executes a previously downloaded PE file and fetches a new one from its C&C server. The persistence of PteroX is ensured by its scheduler component, which creates a scheduled task that executes the dropped downloader component every ten minutes. PteroX itself can be deployed by other general-purpose or built-in downloaders as a VBScript payload. It usually downloads PteroCDrop or some VBScript tools packed in SFX archives – most of the time it is _PteroRisk._ PteroSand PteroSand (SHA-1: 2B9B0AD0B65BB6101704684CD339E946FAE2DCFA) is written in VBScript and is one of the general-purpose downloaders that are deployed first after an initial compromise. Its code is quite short and not very complex. Upon execution, it sends an HTTP request to its C&C server using the ``` msxml2.xmlhttp COM object, with the computer name and system drive volume serial number in the User-Agent HTTP header. As a response, it receives a base64-encoded blob with random && (double ``` ampersand) tokens, which it discards, and decodes the blob to get a VBScript payload. This payload is executed in memory without being stored on the compromised system. Interestingly, some samples download and execute only one payload before terminating, while others continue in an infinite loop, potentially delivering an unlimited number of payloads. PteroSand can be used by two distinct initial access vectors or deployed by other general-purpose or built-in downloaders on already compromised systems. When used by initial access vectors, it is the first general-purpose downloader that is deployed onto newly compromised systems. The VBScript version of PteroLNK uses it as a downloader component and it is also downloaded by LNK or HTA files from spearphishing emails. Persistence behavior in PteroSand varies among samples. While most samples use some persistence mechanism, a few don’t. The type of persistence depends on PteroSand’s delivery method. Samples dropped by the VBScript version of PteroLNK are persisted by the scheduler component, which adds an entry to the HKCU Run key and creates a scheduled task with a five-minute interval. Samples downloaded by LNK and HTA files from spearphishing emails are persisted by adding an entry to the HKCU Run key. Samples deployed by other general-purpose or built-in downloaders are persisted by adding an entry to the HKCU Run key or by adding a command line to ``` HKCU\Environment\UserInitMprLogonScript. ``` PteroDash PteroDash (SHA-1: FEA57A486EB4BDAC5E7D59C9958C42293A5ABE12) is written in VBScript and is very similar to PteroSand. Upon execution, it issues an HTTP request to its C&C server using an instance of the msxml2.xmlhttp COM object, including the computer name and system drive volume serial number in the User-Agent header. As a response, it receives a base64-encoded blob with random -- (double hyphen) tokens, which it discards, decodes the blob for a VBScript payload, and executes it in memory without storing it on the compromised system. All samples we observed downloaded and executed only one payload per run. PteroDash is usually deployed as an initial general-purpose downloader. It is dropped by the VBA ``` document_close event procedure, which can be embedded in: ``` - a remote template that has been downloaded by a Word document weaponized by PteroDoc, ----- - a remote template that has been downloaded by a Word document weaponized by PteroTemplate, and - a default Word template (Normal.dotm) weaponized by PteroTemplate. The process of weaponizing Word documents and templates is described in detail in the respective sections of the PteroDoc and PteroTemplate sections. Note that the downloader is only dropped when the documents are closed, which triggers the document_close event procedure. PteroDash is not made persistent when dropped and can only be downloaded or dropped again by the weaponized objects. PteroRisk PteroRisk (SHA-1: A93503BBB613F084ADD338B9FA2EEE466BF3A2D6) is written in VBScript and is very similar to both PteroSand and PteroDash. Upon execution, it issues an HTTP request to its C&C server using an instance of the WinHttp.WinHttpRequest.5.1 COM object, with the computer name and system drive volume serial number in the User-Agent HTTP header. As a response, it receives a base64 encoded blob with random ** (double asterisk) tokens, which it discards, decodes the blob for a VBScript payload, and executes it in memory without storing it on the compromised system. All samples we observed could download and execute an unlimited number of payloads per run. PteroRisk, unlike PteroSand or PteroDash, is not an initial general-purpose downloader. It lacks persistence mechanisms, requiring re-download upon system reboot or process termination. It’s usually deployed on systems already compromised, either as a VBScript payload delivered by other downloaders, or downloaded by PteroX in an SFX archive. The SFX archive drops and executes PteroRisk as a VBScript, then uses the SelfDelete feature to remove itself from the system. Built-in downloaders There are three tools that belong to other categories, because their primary functionality is something other than delivering payloads, but they contain functionality that basically acts as a general-purpose downloader and can fetch various payloads in the form of a VBScript. The names of these tools are: _PteroDig, PteroScreen, and PteroLNK PowerShell version. All of them are described in detail later in this_ report. Payloads they obtain are encrypted with an XOR cipher using the volume serial number of the system drive as the key. Upon decryption, they execute the payload using an instance of the ``` MSScriptControl.ScriptControl.1 COM object with the Language property set to VBScript. ``` Moreover, built-in downloaders of PteroScreen and the PowerShell version of PteroLNK can also receive a PowerShell command preceded by the ! character. This leading character is removed and the rest of the response is executed via Invoke-Expression. The summary of possible payloads receivable by built-in downloaders was shown in Table 2, above. _Dedicated downloaders_ Gamaredon’s dedicated downloaders, which can be VBScripts or PowerShell scripts in VBScript wrappers, are simple scripts primarily focused on deploying the same payload, which is transferred in cleartext. While they sometimes establish persistence for the downloaded payload, they usually lack persistence mechanisms themselves. Each downloader is tied to one or more URIs for payload download. Despite their similarities, these downloaders can be differentiated by their associated URL patterns, which we list in Table 3. ----- Table 3. URL patterns associated with dedicated downloaders Associated URL patterns ``` http:///cmd ``` Downloader of PteroPShell ``` http:///scripts/cmd.txt http:///test/cmd.txt ``` ``` http:///scripts/web.txt ``` Downloader of PteroBleed ``` http:///test/web.txt ``` Downloader of PteroClone `http:///test/copy.txt` ``` http:///cookies ``` Downloader of PteroCookie ``` http:///scripts/cookies.txt http:///admin/cookies.txt http:///test/cookies.txt ``` ``` http:///drive.php ``` Downloader of PteroDig ``` http:///admin/drive.php http:///scripts/tlg.txt ``` Downloader of PteroGram Downloader of the VBScript version of PteroLNK Downloader of the PowerShell version of PteroLNK Downloader of PteroPSLoad ``` http:///admin/tlg.txt http:///test/tlg.txt http:///.html http://///index.html http:///lnk.php http:///auth.php https:///admin/auth.php http:///get.php https:///login.php https:///admin/login.php ``` Downloader of PteroScout `https:///getinfo.php` ``` http:///index.php ``` Downloader of PteroScreen ``` http:///init.php http:///last.php ``` ``` http:///scripts/sgn.txt ``` Downloader of PteroSig ``` http:///test/sgn.txt ``` Downloader of PteroSocks `http:///scripts/proxy.txt` ----- Downloader of PteroSteal Downloader of PteroPSDoor variant 1 Associated URL patterns ``` http:///pass http:///password http:///scripts/password.txt http:///admin/password.txt http:///test/password.txt http:///log/password.txt http:///index/password.txt http:///files/password.txt http:///local/password.txt http:///js/password.txt http:///phpmyadmin/password.txt http:///core/password.txt http:///fun/password.txt ``` We identified four versions of the downloader. The first two, differing only in the URIs they use (/ua and /cisco/lab, respectively) to download PteroPSDoor variant 1, are simple VBScript wrappers that execute a short PowerShell command line that just downloads PteroPSDoor variant 1 from the hardcoded C&C IP address, then executes it via Invoke-Expression. The third version uses the /info URI, also using a VBScript wrapper, but with a more complex PowerShell command. This command downloads a payload from the hardcoded C&C IP address, splits it by the # character, and stores the parts under HKCU\Software\FedFox in values named FedFox where is a counter initialized to 0 and increased by one for each part. It then creates a PowerShell loader wrapped in VBScript, drops it to %APPDATA%\Dir with a random filename, and executes it. This loader reads and concatenates all parts of the payload, then executes it via Invoke-Expression. A registry value, BoxerProtocol, is added under ``` HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute the loader after each system ``` reboot. Finally, it executes the downloaded payload via Invoke-Expression. The fourth version (SHA-1: 0FA9303ED739A3C6A76CEF4517B9ADB60C73CA80) uses the URI /contact and differs in its persistence mechanism for the downloaded payload. After downloading and splitting the payload by the # character, it stores its parts to files .txt in %APPDATA%\ where is a counter that starts at 0 and is increased by one for each part, as in the previous version; ``` can be one of the names BakerStreet, BobsCave, MIUIlauncher, or Dock; and ``` can be one of the names Modem, hotel, XiaomiOS, or Sonoma. Persistence is achieved by creating a PowerShell loader wrapped in VBScript in the Startup directory with a randomly generated .vbs filename, rather than using the HKCU Run key. The initial instances of the fourth version resembled the previous one – a complex PowerShell command line embedded as cleartext in a VBScript wrapper. Subsequent instances saw the PowerShell command base64 encoded but still wrapped in VBScript. Gamaredon later revamped the command line into a proper script with defined functions and added obfuscation, replacing all function and variable names with random ones, adding random characters in string variables, and randomizing function order. This obfuscated, base64-encoded PowerShell script remained wrapped in VBScript. As of October 2023, this fourth version of the downloader was still being used for delivering PteroPSDoor variant 1 with the version number 7208. ----- Downloader of PteroPSDoor variant 2 We know about two versions of the downloader that deploys PteroPSDoor variant 2. Their functionality is similar, but the older one is a VBScript with an embedded PowerShell command line, while the newer one is a PowerShell script encapsulated in a VBScript. The older version uses the URI /new and comprises two parts. The first part executes a brief PowerShell command that downloads and immediately runs PteroPSDoor variant 2 from the hardcoded C&C IP address via an HTTP POST request. The second part establishes a persistence mechanism. Firstly, it sends a GET request to the same IP address to download a payload. Secondly, it splits this payload into chunks by the # character, and stores them in registry values named part under ``` HKCU\Software\EnterpriseMode, where is a counter that starts at 0 and is increased by one for ``` each part. Thirdly, it drops a brief VBScript to %TMP%\runner.tmp, which runs a PowerShell command that reads, combines, and executes the payload parts from the part registry values. Finally, it adds a registry value runner under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run ``` runner.tmp after each system restart. ``` The second version (SHA-1: A3C21F9A493A05F9428E8F5FE5AF7F0C2BF67F95) uses the URI /update, and despite similar functionality to the previous version, it’s written entirely in PowerShell within a simple VBScript wrapper. Firstly, it downloads PteroPSDoor variant 2 from the hardcoded C&C IP address via an HTTP POST request. Secondly, it splits the payload into chunks, delimited by the # character, and stores them under HKCU\Software\NetwrixKey as NetwrixParam, where is a counter that starts from 0 and is increased by one for each chunk. Thirdly, it drops a short VBScript wrapper to ``` %APPDATA%\Nitro\, which executes a PowerShell command reading, concatenating, ``` and executing payload parts via Invoke-Expression from NetwrixParam registry values. Fourthly, it adds a registry value Windows Sort Updater under ``` HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute the dropped VBScript wrapper ``` post-reboot. Lastly, after ensuring persistence, it executes the downloaded PteroPSDoor. Downloader of PteroVDoor PteroVDoor used to be deployed by a three-stage download chain, with the first two stages being downloaders and the third stage being PteroVDoor itself, all written in VBScript. The first stage (SHA-1: 9B6EF236D9DC758336F1D89268822F8611C8B973) downloads the next stage from the hardcoded C&C IP address while using the /drop URI. It stores the next stage in %TEMP% with a filename hardcoded in the first stage. In fact, the filename is a slightly obfuscated C&C domain for the second stage. Subsequently, the first stage executes the second stage and also creates the entry named ``` example under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute the downloaded ``` script after each system reboot. Interestingly, the entire functionality of the first-stage downloader was later integrated into PteroVDoor. The second stage, when it is executed, parses the C&C domain from its own filename by removing all underscore characters and by replacing the file extension with .ru. Then it prepends www., resolves the IP address for the constructed domain, and downloads the third stage – PteroVDoor, which it executes in memory. There are two versions of this second stage. The older version (SHA-1: ``` 04F1ED3050D6B2527D6196DFF5845B10510D0C2F) uses the URI /visual and has mild obfuscation with ``` extra unused code. The newer version (SHA-1: CB9712BED15723973171192DA17946BF6778D98D) uses the URI /info and is fully obfuscated, with randomly named functions and variables, obfuscated string variables with additional random characters removed before use, and randomly ordered functions. In September 2023, when PteroVDoor version 6005 was first deployed, Gamaredon stopped using these two stages for delivering this version of PteroVDoor. Instead, it introduced a simple dedicated ----- downloader using the URI /info, which downloads and executes PteroVDoor in memory. However, this was short-lived, seen only in a few instances and likely discontinued within days. Subsequently, Gamaredon began deploying PteroVDoor version 6005 directly via general-purpose downloaders, eliminating the need for a dedicated downloader. Droppers _PteroCDrop_ PteroCDrop (SHA-1: 82123C17117EF235F3B57D0C5572C861E3ED7173) has been in use since at least February 2021. It is a dropper, written in C, that can deliver various VBScript payloads. PteroCDrop has an overlay carrying a starter script template, a VBScript payload, and other data to complete variable parts of the template. The overlay is encrypted with a basic cipher, where each byte is XORed with the previous one. An example of the decrypted overlay is shown in Figure 7. Individual parts of the overlay are enclosed in the colored frames: - red frame – the template of the starter script, - green frame – the variable parts of the template (command line, environment variable, filenames), and - yellow frame – the VBScript payload, namely the VBScript version of PteroLNK. Figure 7. An example of the decrypted overlay PteroCDrop operates straightforwardly. It first creates the starter script from the embedded template by inserting appropriate paths. It then drops the starter script and VBScript payload to the disk and executes the starter script using the Windows API CreateProcess. The script launches the VBScript ----- payload, pauses for a few seconds, and deletes all three files: the dropper, itself, and the VBScript payload. Throughout PteroCDrop’s lifetime, Gamaredon has used various compilers to build it and in some of the samples this PDB path was left: ``` E:\Projects\sfx\Extractor10\281021\Debug\090721.pdb ``` Overall, the most prevalent payload delivered by PteroCDrop is a VBScript version of PteroLNK. During 2023, we only saw one other payload, PteroX. Weaponizers The tools that belong to this category can either alter properties of existing files on a file system or create new files on connected USB drives in order to achieve: - lateral movement within or outside a compromised organization (PteroLNK, PteroDoc, PteroTemplate), or - persistence on a compromised system (PteroTemplate, PteroDig). _PteroLNK VBScript version_ PteroLNK, in use since at least November 2020, weaponizes connected USB drives by placing LNK files onto them, primarily for lateral movement. There are two variants of this VBScript tool. The first variant, active from November 2020 to October 2021, scans a compromised system for available USB drives and drops LNK files on them. Clicking on a dropped LNK file launches the ``` mshta.exe process, which downloads and runs an HTA payload. ``` The second variant of PteroLNK (SHA-1: 7793282401B134077E70217B55B0C4B45850D119), which we discovered in October 2021, weaponizes all connected USB drives by replicating itself as a hidden file to all root subdirectories, and creates LNK files, which execute a copy of PteroLNK when clicked on. PteroLNK includes three embedded VBScript components: a scheduler, a LNK dropper, and a downloader. The scheduler is a code block embedded as a string variable in the original PteroLNK script, with several characters replaced with random sequences. Upon deobfuscation, it runs within the original PteroLNK script. The LNK dropper and the downloader are two separate base64-encoded blobs, dropped to disk in decoded form by the scheduler. The scheduler component copies the original PteroLNK script to %USERPROFILE% with a frequently changing, hardcoded filename, recently seen as ~.ini. It drops the downloader script and the LNK dropper to a directory in %USERPROFILE%, also with a frequently changing, hardcoded location. It then executes both scripts, schedules them to run every five minutes, and adds two entries under the HKCU ``` Run key for persistence. No persistence mechanism is set for the original PteroLNK script; it’s copied to ``` a specific location for use by the LNK dropper in weaponizing USB drives, as discussed in the following paragraph. The LNK dropper component weaponizes all connected USB drives by copying the original PteroLNK script to all directories in the drive’s root and creating LNK files that trigger the script upon clicking. To tempt potential victims into clicking on the LNK files, they have so-called double extensions (.docx.lnk or .rtf.lnk), and very conspicuous filenames in English or Ukrainian, like pornography or мoбілізaція (translation: mobilization). To find all connected USB drives it uses the WMI query select * from ``` win32_logicaldisk where mediatype=null. The LNK dropper runs repeatedly via a scheduled task to ``` weaponize new USB drives on compromised systems. As a downloader, PteroLNK utilizes PteroSand, discussed in the downloaders section. Once PteroLNK compromises a system, the downloader is repeatedly executed via a scheduled task to deliver extra payloads. ----- PteroLNK is obfuscated in multiple layers, detailed in the Obfuscation section. The obfuscation applied to the scheduler component, where selected characters are replaced with random sequences, is also used on code blocks embedded as base64-encoded blobs. Nearly all string variables and small code blocks are divided into smaller parts and then concatenated before use or execution. Additionally, function and variable names are randomized in all PteroLNK components and in the original PteroLNK script. _PteroLNK PowerShell version_ The PowerShell version of PteroLNK, which we discovered in May 2022, weaponizes connected USB drives by dropping LNK files onto them for lateral movement. There are four easily distinguishable variants of this tool, identified by the URI used to construct the URL for contacting their C&C servers. The URIs of the four variants we have observed, listed in chronological order, are: - `/sleep.php (SHA-1: E537DEAF3A77C5C0F0B9F8A12FF5995DD24CD259),` - `/log.php (SHA-1: 801A9B08987977692223B7105DEC8B21B9D9749E),` - `/search.php (SHA-1: 44C720AE508F448263A83CAC26775D6709DFBBDD), and` - `/link.php (SHA-1: 49CF239AB2EBD04CAFDCEC07FBB0C1C1A43E8C02),` These are referred to as v1–v4, respectively, in the following paragraphs. Each PteroLNK variant shares the common behavior of running in an infinite loop, weaponizing connected USB drives by copying itself as a hidden file to all root subdirectories, and creating LNK files that execute the copy when clicked. Oddly, if a drive’s used space exceeds 50 kB, PteroLNK also creates a LNK file in the root directory, otherwise only in subdirectories. The newly created LNK files have noticeable filenames, similar to the PteroLNK VBScript version. For [each LNK file, PteroLNK randomly selects an icon ID from the following list: 3, 4, 116, 126, 127, 205, 266,](https://superuser.com/questions/1406594/is-there-a-reference-for-the-full-list-of-windows-10-shell-icon-numbers) ``` 325, 314, and 313; using it as a reference to an icon located in shell32.dll. PteroLNK doesn’t check ``` whether a USB drive is already weaponized, allowing it to repeatedly weaponize a drive by dropping multiple LNK files. For persistence, a short PowerShell script is added under the HKCU Run key that, upon its own execution after a system reboot, executes a copy of PteroLNK that can be stored in: - a file under %USERPROFILE% (v1), or - the registry values ip, knoc, prepare, run, save, search, SetLnk, executer, result_code, or ``` update under HKCU\System, split into parts (v2–v4). ``` The changes in persistence of v2–v4 slightly affect how USB drives are weaponized, as PteroLNK cannot simply copy itself as a file to discovered USB drives. As a solution, PteroLNK uses a script template filled with code parts from registry values and adds it to all root subdirectories of a drive. For payload delivery, v1 downloads and immediately executes PteroPSLoad (the version with the URI ``` /power.php) as an intermediate stage, which can receive either a PowerShell command or a VBScript ``` payload. Other variants have this download functionality integrated and can directly receive these two types of payloads. _PteroDoc_ PteroDoc (SHA-1: B2B58CEF19546B2D2284B2EB5F22B6D8FDB94D4E), in use since at least February 2021, is a VBScript tool that weaponizes Microsoft Word documents by inserting a reference to a malicious remote template. Once a Word document is weaponized, it remains so even when it is transferred to other computers; hence, PteroDoc is used by Gamaredon with the intention of spreading it to other systems. The tactic of weaponizing all Word documents increases the chances of spreading, as these documents might be shared within or outside a compromised organization. ----- First, PteroDoc enables programmatic access to VBA projects and enables all Word macros by setting the following registry values to 1: - `HKCU\Software\Microsoft\Office\\Word\Security\AccessVBOM` - `HKCU\Software\Microsoft\Office\\Word\Security\VBAWarnings` The is variable and dynamically resolved from the Word.Application VBScript object by PteroDoc during its runtime. Second, it deletes all subkeys under ``` HKCU\Software\Microsoft\Office\\Common\Internet\Server Cache. Third, it ``` searches for.doc and .docx Word documents on Removable, Network, or Fixed drives, to weaponize them by inserting a reference to a malicious remote template hosted on a C&C server. The reference is [added by setting the AttachedTemplate property of the document. Finally, PteroDoc once again deletes](https://learn.microsoft.com/en-us/office/vba/api/word.document.attachedtemplate) all subkeys under the aforementioned registry key. When the weaponized documents are opened, the attached remote templates, containing a malicious VBA document_close event procedure, are fetched. This procedure drops a VBScript downloader to ``` %TEMP% and executes it to deliver additional payloads. So far, we have only seen PteroDash being used ``` as a downloader component of PteroDoc. _PteroTemplate_ PteroTemplate, in use since at least November 2020, is a VBScript tool that weaponizes default Microsoft Word document templates (Normal.dotm) by inserting a malicious VBA macro. During 2022 and 2023 we observed two variants of this tool. The process of weaponizing Normal.dotm, which we describe below, is common to both variants. First, PteroTemplate forcibly terminates all Microsoft Word processes by executing the command taskkill ``` /f /im WINWORD.EXE. Second, it enables programmatic access to VBA projects and enables all Word ``` macros by setting the following registry values to 1: - `HKCU\Software\Microsoft\Office\\Word\Security\AccessVBOM` - `HKCU\Software\Microsoft\Office\\Word\Security\VBAWarnings` where is variable and dynamically resolved by PteroTemplate during its runtime. Third, it deletes the existing Normal.dotm, creates a new one, and inserts a malicious VBA macro. As with _PteroDoc, this template has a malicious document_close event procedure, which Word automatically_ calls upon document closure. Finally, PteroTemplate deletes all subkeys under ``` HKCU\Software\Microsoft\Office\\Common\Internet\Server Cache. ``` The two PteroTemplate variants primarily differ in the actions of the inserted VBA macros. In both cases, the macro is triggered upon closing documents based on the Normal.dotm template. The macros’ differing actions allow one variant to persistently weaponize Word documents, while the other only drops and executes a VBScript downloader. The first variant of PteroTemplate (SHA-1: 16FD6CBA3F13CC5B195CD6C0DD33BBF08CD0FE39) inserts a macro that tries to download a remote template and attach it to an open document. If successful, the document becomes persistently weaponized. When the weaponized document is reopened, even on another machine, the remote template with a different VBA macro is downloaded. This template’s ``` document_close event procedure doesn’t attach a remote template but drops a VBScript downloader, ``` embedded in the VBA macro, to %TEMP% and executes it. This process is shown in Figure 8. ----- Figure 8. Permanently weaponizing Word documents using the first variant of PteroTemplate The second variant of PteroTemplate (SHA-1: 9A6B36E6CAD9156EA6E09DE740D3F1CCB6816F87), which we first observed in May 2023, inserts a document_close event procedure that drops a VBScript downloader to %TEMP% and executes it, similar to the event procedure in the first variant’s downloaded remote template. Basically, this variant skips the step of attaching a remote template to documents and directly deploys a VBScript downloader upon closing a document based on the Normal.dotm template. As a result, this variant does not have the ability to persistently weaponize Word documents and the weaponized template just serves as a persistence method that drops a downloader each time a newly created or existing document, which is based on the weaponized template, is closed. The procedure for this variant is shown in Figure 9. Figure 9. Persistence mechanism resulting from weaponizing Normal.dotm by the second variant of PteroTemplate ----- For both variants, we have only seen PteroDash being used as a downloader component of PteroTemplate. _PteroDig_ PteroDig (SHA-1: 1AEAE7A567C71200BA804801C4CEC227D2B64414), which we discovered in November 2022, is a PowerShell tool that weaponizes selected Desktop LNK files. It drops a basic skeleton of a downloader to %USERPROFILE% and stores relevant parts of the downloader script in the registry values ``` ip, update, key, vol, wc, xor, decod, and run under HKCU\Network. The aforementioned skeleton script ``` just reads and executes these registry values. Then it searches non-recursively for LNK files located in the Desktop directory that point to a file with a .exe file extension and do not pass any command line arguments. It replaces them with new LNK files with the file path ``` C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe as their target and a newly added ``` argument that instructs PowerShell to launch first the original executable file and then also the dropped downloader. When PteroDig is deployed on compromised systems, it just installs itself, weaponizes LNK files, and terminates. It doesn’t use any persistence mechanism for automatic start-up, instead relying solely on user interaction to trigger its download functionality. Unlike other tools in its category, PteroDig’s primary goal isn’t spreading, but adding a persistence layer on compromised machines. While weaponizing objects might seem like spreading behavior, PteroDig can’t spread because it’s improbable for LNK files from one system’s Desktop directory to be copied to other systems, and even if it happens, the weaponized LNK files won’t work as intended without the downloader skeleton script and registry values. Stealers _PteroPSDoor variant 1_ This PteroPSDoor variant is a file stealer written in PowerShell that has been in use since May 2022. Its version number at that time was 7051 (SHA-1: 821362A484908E93F8BA748B600665AE6444303D). The version we analyzed for the purposes of this white paper is from November 2023 and has version number 7208 (SHA-1: BA5F7E2FA9BE1CB3FC7AE113F41C36E4F2C464B6), but not all numbers between these two were used. During these months, its code was modified many times, but the core functionality has remained the same. PteroPSDoor runs in an infinite loop, where it searches for specific types of files to exfiltrate to the C&C server via HTTP POST requests. First, it continually searches for specific file types on connected USB drives to exfiltrate to the C&C server via HTTP POST requests. These files, with extensions such as .rar, .zip, .7z, .jpg, .odt, .docx, ``` .doc, .xlsx, .rtf, .xls, .txt, .jpeg, .pdf, .ps1, and .mdb, are copied to a staging directory – for ``` example, at %LOCALAPPDATA%\vector – for later exfiltration. However, the name and the location of the staging directory were changed many times throughout the existence of PteroPSDoor. Second, it searches for files with the same extensions on all mapped drives, excluding those mapped to letters A, B, and Q. Any located files are immediately exfiltrated to the C&C server. While searching for files, it ignores directories that contain the following substrings in their names: ``` prog, log, windows, appdata, local, roaming. To prevent double exfiltration, PteroPSDoor computes an ``` MD5 hash from a file path, file size, and last write timestamp for each exfiltrated file and stores it in a “custom database”. It is essentially a text file with one MD5 hash per line, but it is referred to as a custom database in Gamaredon’s tools. Before exfiltration or staging, files are checked against this database to ensure that no duplication occurs. Same as for the staging directory, the database’s name and location change frequently; in version 7208 it is located in %APPDATA% and its name is randomly generated by PteroPSDoor. ----- In addition to file stealing, PteroPSDoor has a feature where every file uploaded to the C&C server can trigger a payload response. This payload, either a PE file or VBScript, is parsed, dropped to %TEMP% with a random filename, and executed. To regularly receive payloads, PteroPSDoor creates a file with random content in a dedicated directory before exfiltrating staged files. This ensures it always uploads at least one file, giving the C&C a chance to respond with a payload. For persistence, PteroPSDoor establishes a scheduled task that runs a brief PowerShell script, downloading a new PteroPSDoor script from a hardcoded IP address. From version 7205 onwards, the persistence setup code was shifted from PteroPSDoor to its dedicated downloader. Samples that we classify as PteroPSDoor variant 1 have been deployed in an obfuscated form since its first appearance. Initially, all names of functions and variables in the script were replaced by randomly generated names, while all string variables remained unobfuscated. Later versions added more obfuscation, randomizing function order, applying new obfuscation to all string variables, which were only deobfuscated at runtime. None of these aforementioned obfuscations were applied to PteroPSDoor variant 2, which appeared approximately seven months later. _PteroPSDoor variant 2_ We observed this variant for the first time in December 2022, with the initial sample bearing version number 7070. Overall, variant 2 has basically the same functionality as variant 1, except for two notable differences: - The first two versions of variant 2 that we found lack the ability to parse a payload from a server’s response and execute it. - In all versions of variant 2, the code responsible for setting up persistence is absent and persistence is handled by its dedicated downloader. Moreover, variant 2 has a notable difference that doesn’t impact functionality – all function and variable names are unobfuscated. It is not entirely clear to us why PteroPSDoor variant 2 was even developed and why it was being used simultaneously with variant 1. It’s possible that two distinct teams within the group had access to the same codebase and developed it separately. Interestingly enough, in September 2023, we discovered a PteroPSDoor sample with version number ``` 7112; given the latest known version of variant 2 was 7111 at that time (SHA-1: 742E34BA21650ECB0B7EF33F786641F0BE823BE8), we expected the new sample to be variant 2. ``` However, it had the same obfuscation applied as variant 1 and at the same time the code for setting up the persistence was absent. That left us puzzled. Days later, we found a similar sample with version number 7113. No further samples with version number 7113 or close to it have been found since, suggesting that variant 2’s development ceased and it was merged with variant 1. _PteroVDoor_ PteroVDoor, a VBScript file stealer we first detected in November 2022, has functionality similar to PteroPSDoor with some differences. PteroVDoor samples are split into two strains. The first strain includes all versions from its inception until around mid-September 2023, when version 6005 was deployed. The second strain starts from version 6005, which saw major changes and a functionality more aligned with PteroPSDoor. The first strain is described in the following paragraphs, followed by the changes made in the second strain. The code of PteroVDoor is unobfuscated; all names of functions and variables seem to be genuine (see Figure 10). PteroVDoor searches for files with the following extensions: .rar, .zip, .7z, .jpg, .odt, ``` .docx, .doc, .xlsx, .rtf, .xls, .txt, .jpeg, .pdf, .ps1, and .mdb. It looks on all mapped drives, except ``` the drive mapped to letter A, and immediately exfiltrates matching files to the C&C server via HTTP POST requests. Surprisingly, unlike both PteroPSDoor variants, PteroVDoor lacks a dedicated function for searching USB drives for exfiltration. When it uploads a file to the C&C server, it can only receive a ----- VBScript payload, not a PE file. Even if there’s nothing to exfiltrate, it regularly uploads a test file containing the string This is a test. to receive a payload response. Early versions of PteroVDoor lacked their own persistence mechanism, instead relying on a two-stage downloader. The first stage downloaded the second-stage downloader and added an entry to execute it in the HKCU Run key. The second stage then downloaded and executed PteroVDoor. Eventually, the first-stage downloader’s functionality was integrated into PteroVDoor, eliminating the need for the first stage and leaving only the second stage. In version 6005 (SHA-1: 0FD02B12517221F71A4A3774630C05643EE59988), many changes were introduced. String variables were obfuscated and all function and variable names were replaced with random names, similar to PteroPSDoor. A dedicated function for searching files on USB drives was added. It adopted the same trick as PteroPSDoor – dropping a file to a specific directory for at least one C&C server contact, even if no new files were ready for exfiltration. Unexpectedly, the persistence mechanism was entirely removed from PteroVDoor, now requiring a general-purpose downloader for delivery. Figure 10. Comparison of code snippets from PteroVDoor v. 6004 and v. 6005 In October 2023, Gamaredon simultaneously used at that time the latest versions from both the first and the second strain, 6004 and 6005, respectively. It is important to mention that during our tracking, we observed that notable changes weren’t always present in all new samples. Also, the versioning of PteroVDoor has been very strange since the beginning. Sometimes a lower version number was more recent than the higher one. While this could be a deliberate attempt to confuse researchers, it’s more likely that at least two independent teams within the group access the same codebase but develop tools separately, supporting our earlier hypothesis. ----- _PteroScreen_ First seen by ESET Research in July 2022, PteroScreen (SHA-1: ``` BA2366ED4E83FFC6DEC489C9011FE181CE169A47) is a PowerShell screen-capturing tool that takes ``` screenshots of all screens and temporarily stores the image in %TEMP%\.png. The screenshot is then base64 encoded and uploaded to the C&C server along with the system drive’s volume serial number via an HTTP POST request. A response from the server is parsed by PteroScreen. If the content starts with the ! character, it’s treated as a PowerShell command and executed via ``` Invoke-Expression. Otherwise, the content is treated as an encrypted VBScript payload and it is first ``` decrypted using an XOR operation with the volume serial number of the system drive as the key, and subsequently executed via start-job using the COM object MSScriptControl.ScriptControl.1. PteroScreen only uploads one screenshot and continues running, contacting its C&C server every three minutes to receive a payload. _PteroSteal_ First seen by ESET telemetry in July 2022, PteroSteal (SHA-1: ``` 8A2261D8C8111D2D99276575120B9EA65D0AEAEA) is a PowerShell infostealer that steals credentials ``` stored by Opera, Microsoft Edge, Google Chrome, and Mozilla Firefox. During our tracking, we encountered samples of variants that also steal data stored by two email clients: Microsoft Outlook and The Bat!. Stolen credentials are base64 encoded and, along with the computer name, sent to the hardcoded C&C server via HTTP POST requests. The Chromium-based browsers Opera, Edge, and Chrome store credentials in the same manner; for each of these browsers, PteroSteal exfiltrates encrypted credentials from the file named Login Data and the corresponding encryption key from the file Local State. The encryption key is decrypted on a compromised machine prior to exfiltration by using the method ``` [System.Security.Cryptography.ProtectedData]::Unprotect. For each browser, both files are ``` located in the respective directories: - `%APPDATA%\Opera Software\Opera Stable\` - `%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\` - `%LOCALAPPDATA%\Google(x86)\Chrome\User Data\Default\` - `%LOCALAPPDATA%\Google\Chrome\User Data\Default\` Firefox stores data for each profile in a separate directory in %APPDATA%\Mozilla\Firefox\Profiles\; PteroSteal exfiltrates the following files from all profile directories: - `key3.db` - `key4.db` - `logins.json` - `cert9.db` The Bat! stores credentials for accounts in subdirectories named by email addresses in %APPDATA%\The ``` Bat!\, PteroSteal exfiltrates all files that are named Account.CFN and are in a subdirectory that ``` contains the @ character in its name. Outlook stores profile data in the registry under HKCU\SOFTWARE\Microsoft\Office; the specific registry path depends on the version of Microsoft Office and it also contains some other variable parts. Therefore, PteroSteal enumerates all entries under HKCU\SOFTWARE\Microsoft\Office and looks for a registry value named IMAP Password to find the correct path. ----- If it finds any profile with a saved password, it exfiltrates the data from the following registry values of this key: - `Account Name` - `Email` - `IMAP Server` - `IMAP Port` - `IMAP User` - `SMTP Port` - `SMTP Server` It also exfiltrates the IMAP Password from the registry, but this data is first decrypted before exfiltration by using [System.Security.Cryptography.ProtectedData]::Unprotect. _PteroCookie_ Discovered by ESET Research in May 2023, PteroCookie (SHA-1: ``` F05874C1B908FDEF4B9AF2B084E3D813595A12C9) is a PowerShell infostealer that steals cookie files ``` stored by Opera, Mozilla Firefox, Google Chrome, and Microsoft Edge. The stolen cookies are base64 encoded and, coupled with the computer name, sent to the hardcoded C&C server via HTTP POST requests. The Chromium-based browsers Opera, Edge, and Chrome store cookies in the same manner; for each of these browsers, PteroCookie exfiltrates encrypted cookies from the file named Cookies and the corresponding encryption key from the file Local State. The encryption key is decrypted on the compromised machine prior to exfiltration by using the method ``` [System.Security.Cryptography.ProtectedData]::Unprotect. For each browser, both files are ``` located in the corresponding directories: - `%APPDATA%\Opera Software\Opera Stable\Network\` - `%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Network\` - `%LOCALAPPDATA%\Google(x86)\Chrome\User Data\Default\Network\` - `%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\` Firefox stores data for each profile in a separate subdirectory in ``` %APPDATA%\Mozilla\Firefox\Profiles\; PteroCookie exfiltrates an SQLite database named cookies.sqlite from all profile subdirectories. ``` It is worth mentioning that the code segment for parsing the encryption key from the Local State file was sourced from a GitHub code snippet. _PteroSig_ Discovered by ESET Research in June 2023, PteroSig (SHA-1: ``` 2CDB1DA4DF1A33E379C2F24DD6A05709F4848CB6) is a PowerShell infostealer designed to extract ``` information from the Signal desktop application. The Signal application’s SQLite database, stored in ``` %APPDATA%\Signal\sql\db.sqlite, contains sensitive information like sent and received messages. The ``` database is encrypted, but the key is stored close by, in %APPDATA%\Signal\config.json, allowing anyone with access to these files to read the database’s content, as described in this article. First, PteroSig, checks whether the file %APPDATA%\Signal\sql\db.sqlite is present on the compromised machine. If it is, PteroSig attempts to terminate any running instances of the Signal application and copies the file holding the encryption key as well as the entire directory containing the database to a newly created directory %TEMP%\sgn. Finally, it exfiltrates, one by one, all files from ``` %TEMP%\sgn to its C&C server via HTTP POST requests but does not delete the local copies. ``` ----- _PteroGram_ Discovered by ESET Research in June 2023, PteroGram (SHA-1: ``` AC17FD08A3987CC91DFD6649BA3DABE8A9671305) is a PowerShell infostealer targeting the Telegram ``` Desktop application. Telegram Desktop stores its data in %APPDATA%\Telegram Desktop\tdata, which contains encrypted session data. The encryption key is derived from a passcode and salt, but if no passcode is set, an empty string is used instead of it in the derivation procedure. Therefore, if an adversary obtains such encrypted files that have had no passcode set and inputs them into another Telegram Desktop instance, they gain full access to the active session, including chat history. First, PteroGram checks if %APPDATA%\Telegram Desktop exists on a compromised machine to determine whether Telegram Desktop is installed. If so, it searches for all directories located in ``` %APPDATA%\Telegram Desktop\tdata with names that are 16 characters long and exfiltrates all files ``` from such subdirectories via HTTP POST requests to its C&C server. It also exfiltrates all files directly in ``` %APPDATA%\Telegram Desktop\tdata, then terminates the Telegram process and deletes the entire %APPDATA%\Telegram Desktop\tdata directory, perhaps to keep the stolen session unique. ``` _PteroBleed_ In August 2023 we discovered a PowerShell infostealer (SHA-1: ``` B50F10BBDB49BE6D868B09F3E1DD6C78D58D8E89) that we named PteroBleed; its goal is to exfiltrate ``` _[IndexedDB data, which is persistently stored by web versions of various applications (e.g., Telegram) that](https://web.dev/articles/indexeddb#what)_ are running in the browsers Opera, Chrome, or Edge. For exfiltration it uses HTTP POST requests. Web applications that use IndexedDB may store any kind of data, potentially including sensitive information like images or files transferred via web versions of messenger applications. As described next, PteroBleed exfiltrates two sets of files, excluding .log or .old extensions. The first is all files located in the following directories: - `%APPDATA%\Opera Software\Opera Stable\Local Storage\leveldb\` - `%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\` - `%LOCALAPPDATA%\Google(x86)\Chrome\User Data\Default\Local Storage\leveldb\` - `%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\leveldb\` The second set is files located in specific subdirectories in the following paths: - `%APPDATA%\Opera Software\Opera Stable\IndexedDB\` - `%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\IndexedDB\` - `%LOCALAPPDATA%\Google(x86)\Chrome\User Data\Default\IndexedDB\` - `%LOCALAPPDATA%\Google\Chrome\User Data\Default\IndexedDB\` The only subdirectories considered for exfiltration are those with names containing strings referencing Telegram and WhatsApp, a Ukrainian military system, and a webmail service used by a Ukrainian governmental institution. _PteroScout_ Discovered by ESET Research in August 2023, PteroScout (SHA-1: ``` 2416DFC031CF0D05054D5BEB9739CBA6470FE585) is a PowerShell infostealer; its main goal is ``` reconnaissance. It collects various data about the compromised system and exfiltrates it to the hardcoded C&C server via an HTTP POST request. Exfiltrated data is composed of: - a captured screenshot, - installed security products retrieved by the query SELECT * FROM AntiVirusProduct, - selected information about the system, retrieved by the systeminfo command: ° OS name, ----- ° OS version, ° original install date, ° system boot time, ° system type, ° system directory, ° logon server, ° domain, ° total physical memory, and ° available physical memory. - used and free space of all connected drives, - a list of running processes, - a list of installed applications enumerated from two registry keys: ° `HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\, and` ° `HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\.` - a list of files located in the Desktop directory, and - a computer name and a volume serial number of a system disk. Backdoors _PteroPShell_ Discovered by ESET Research in October 2022, PteroPShell (SHA-1: ``` E2FEEE0B92819AC7FCA85CFE3DC37750834F0990) is a very simple reverse shell written in PowerShell. It ``` connects to a predefined IP address and port using TCP, receives a command, and executes it using the ``` Invoke-Expression cmdlet. The command’s output is then sent back to the C&C server. Initially and ``` then after every executed command, it displays a typical PowerShell prompt in the format PS ``` > to the operator. All observed PteroPShell samples were configured to connect ``` to TCP port 9511, except one, which used port 1010. Ad hoc tools _PteroSocks_ Discovered in May 2023, PteroSocks (SHA-1: D58BFB39969F28698F90BF2E8782057E2F83C2DF) is a PowerShell tool providing partial SOCKS proxy functionality. It consists of two parts that were taken from unrelated open-source projects on GitHub. The first part, identical to code from the Amsi-Bypass [Powershell repository, tries to bypass AMSI on a compromised machine by patching the](https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal) ``` DllGetClassObject function in the Windows Defender DLL MpOav.dll and by calling the AmsiUtils.Uninitialize method. ``` [The second part of PteroSocks, taken from the Invoke-SocksProxy](https://github.com/p3nt4/Invoke-SocksProxy/blob/master/Invoke-SocksProxy.psm1) repository, is a partial SOCKS proxy implementation. After the tool attempts to disable AMSI, it operates as a reverse proxy, establishing an encrypted TCP tunnel to the hardcoded IP address 80.90.181[.]107 and a randomly chosen port from 4000 to 4100. This gives operators access to the local network and the ability to pivot to other systems via the compromised machine. Curiously, Gamaredon used an optional certificate-pinning functionality in the Invoke-SocksProxy script to verify the server certificate’s MD5 hash against the hardcoded value ``` 565A4CD6E4F74E17A37D34E6EF93AB6DED71B3AA. We have seen just two occurrences of PteroSocks thus ``` far, indicating its use in special cases. ----- _PteroClone_ Discovered by ESET Research in July 2023, PteroClone (SHA-1: ``` 5720FFDF9D9CD649445CBC12844E2B587622643A) is a unique PowerShell tool that uses a legitimate ``` [command line program – rclone](https://rclone.org/) – for managing files on cloud storage to download the next stage. It first downloads the rclone binary and configuration file to %APPDATA%\Defrag, naming them ``` Defrag.exe and rclone.conf, respectively. It then creates the ScheduledDefrag task, set to trigger ``` when the system has been idle for ten minutes. This scheduled task launches the rclone binary with the following command line arguments: ``` sync mega: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup --no-console ``` These arguments instruct rclone to download the content of the directory named as the computer [name from the well-known MEGA cloud storage](https://mega.io/) to the local Startup directory. This MEGA directory, created when files are uploaded by another rclone instance, must exist when the task first starts, as explained in the next paragraph. The credentials needed to access the cloud storage are automatically parsed from the configuration file. All files added to the Startup directory are executed during every system start. Finally, PteroClone launches two instances of rclone with the following arguments: - `sync %APPDATA%\Microsoft\Windows\SendTo mega:-d --no-console` - `sync %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup mega: --no-` ``` console. ``` These sync directories from the local machine to corresponding directories on the MEGA cloud storage. The first set of command line arguments is used to upload all files and subdirectories from the SendTo directory to the cloud storage. This directory usually contains shortcuts to various directories, devices, or installed software that appear in the Send to context menu after right-clicking on a file. We believe that Gamaredon operators might be able to leverage some of these files to make a better decision about whether to deploy the next stage on victims’ machines. The second instance uploads the content of the Startup directory to cloud storage so that all the files already present in that directory are preserved when the rclone instance launched by the scheduled task synchronizes that directory with the one stored on MEGA. Otherwise, these files would be deleted. This instance also creates the ``` directory on the cloud storage. ``` In our telemetry, we have observed five distinct rclone configuration files so far. However, the intended payload of PteroClone remains unknown, as we haven’t been able to obtain it. _PteroPowder_ Discovered by ESET Research in June 2023, PteroPowder (SHA-1: ``` 47A03EBB9798A8DF7EC8212134D418E937B449E9) is a simple downloader written in C++. It fetches a ``` PowerShell script from a hardcoded IP address using an HTTP GET request with the URI /cmd. Then it merely uses the Windows API function ShellExecuteA to launch powershell.exe with two values – the first being -ExecutionPolicy Bypass and the second being the content of the downloaded script. Interestingly enough, the following PDB path was left in the sample: ``` E:\Projects\RESEARCH\TOOLS\c++\Reverse\Release\Reverse.pdb ``` We do not know what payload was intended to be delivered by PteroPowder, as we have not been able to obtain it. However, the URI and the word Reverse in the PDB path suggest that PteroPowder might deliver PteroPShell, a simple reverse shell, as it was delivered by other downloaders using the same URI in the past. ----- _ReVBShell_ _[ReVBShell](https://github.com/bitsadmin/revbshell)_ (SHA-1: 5BEFC01A3771E61151224E18F926226FF7FD4A40) an open-source reverse shell written in VBScript, was deployed by Gamaredon twice, both times in June 2023. One instance that we saw even contained a commented-out header with license, author, and GitHub repository details, which was removed in the second sample. All commands provided by this open-source reverse shell are shown in Figure 11. The C&C server is set to 5.181.156[.]109:7070 in both samples. Besides adjustments made in the tool’s C&C configuration, operators slightly altered the SHELL command. Rather than sending command outputs directly to the C&C server, it now also logs each output to a separate file and sends the filename back to the C&C server, allowing operators to retrieve the outputs later if necessary. Figure 11. Commands provided by ReVBShell ----- #### Obfuscation To avoid detection and to make it more difficult for researchers to dissect its malware, Gamaredon often applies obfuscation to its tools. Most of Gamaredon’s currently used tools are scripts written in PowerShell or VBScript, and many are obfuscated. The following paragraphs showcase and describe the most common types of obfuscation used in Gamaredon’s tools. Note that there are myriad types of obfuscation used in various Gamaredon tools and the following examples are not an exhaustive list of them. PteroPSDoor variant 1 serves as a good example of how the obfuscation evolved over the course of time. In the initial version (7051) from May 2022, all function and variable names were replaced with random names, though string variables were left unobfuscated, and functions maintain their order. In the subsequent version (7052), deployed a few days later, obfuscation was extended to some string variables by splitting them into parts and dynamically concatenating them when used. Fast-forward to version 7208, which we discovered 18 months after version 7051. The string variables are obfuscated even more, by inserting abundant random characters between real ones, the order of functions in the script is randomized for each instance, and some parts of the script are defined as (obfuscated) string variables and evaluated via Invoke-Expression. Code snippets of all three aforementioned versions are shown in Figure 12. Figure 12. Comparison of PteroPSDoor variant 1 v. 7051, 7052, and 7208 ----- An example of a different kind of obfuscation, mainly used in PowerShell scripts, is a PteroPSLoad sample. As depicted in Figure 13, the main functionality code of PteroPSLoad is base64 encoded and embedded in a wrapper. The wrapper contains some cleartext code and large portions of irrelevant code, particularly within several try/catch blocks. However, relevant sections, highlighted with red frames, decode the blob and execute it. Figure 13. An example of obfuscation used in a PteroPSLoad sample ----- The last example is a sample of the VBScript version of PteroLNK (SHA1: ``` 7793282401B134077E70217B55B0C4B45850D119) that is quite large and heavily obfuscated. Various ``` types of obfuscation applied to it are characteristic of many Gamaredon’s VBScript tools. Looking at Figure 14, which contains a zoomed-out code listing of PteroLNK, there are three visually distinct blobs in the script, highlighted in pink. These blobs represent the individual components of PteroLNK: a downloader, a LNK dropper, and a scheduler. Figure 14. An example of obfuscation used in a PteroLNK sample – highlighted parts are code obfuscated as data ----- As shown in Figure 15, the first two blobs are base64 encoded, while the last one resembles valid VBScript code. In this last blob, which contains the scheduler’s code, various characters have been replaced with random character sequences (e.g., u with %L90#, n with #E7H2, o with }Q@45). The wrapper deobfuscates the code in the blob during runtime, just before evaluation. Figure 15. Snippets of the three blobs from PteroLNK These two obfuscation types can be layered. After decoding, the base64-encoded blobs also contain blobs with replaced characters. Figure 16 shows an example of the contents of a base64-encoded blob post-decoding. Figure 16. The second layer of obfuscation applied to the downloader component Moreover, as well as in other tools, the names of functions and variables in PteroLNK are randomly generated. ----- ### NETWORK INFRASTRUCTURE [Gamaredon uses a technique known as fast flux DNS for its network infrastructure – frequently](https://attack.mitre.org/techniques/T1568/001/) changing its C&C servers’ IP addresses, usually several times per day, to avoid IP-based blocking. It also frequently registers and updates many new C&C domains to avoid domain-based blocking, mainly using.ru as the top-level domain (TLD). Very rarely, we also saw these TLDs being used: .shop, .org, ``` .site, .online, .fun, and .xyz. The most prevalent registrar used by Gamaredon for registering new ``` C&C domains is REGRU-RU. From 2022, Gamaredon shifted from using hardcoded C&C domains to hardcoded C&C IP addresses in its tools. By mid-2023, many tools contained a hardcoded C&C domain and a hardcoded C&C IP address, with some only having a hardcoded C&C IP address. Note that even if a tool contains a hardcoded C&C domain, it resolves this domain to an IP address by itself, for example by using WMI queries to ping C&C domains, and subsequently uses the IP address for contacting the C&C server. In April 2023, Gamaredon changed the DNS records for its domains to prevent IP addresses from being resolved without using subdomains. #### Bypassing domain-based blocking Gamaredon puts considerable effort into finding new techniques for bypassing domain-based blocking and for protecting the IP addresses of its C&C servers. Besides manually resolving C&C domains to IP addresses, which is typical behavior of Gamaredon tools, in 2022 and 2023 the group has added several additional techniques to bypass domain-based blocking. These include using legitimate public third-party websites to resolve domains to IP addresses, obtaining IP addresses from hardcoded URLs leading to a Telegram channel maintained by the operators or the [Telegram publishing platform telegra.ph, and using Cloudflare’s or Google’s](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/) DoH service. It can also use [the legitimate Cloudflare Tunnel client to proxy traffic, or the ngrok utility to communicate with a C&C](https://ngrok.com/product/secure-tunnels) server. Lastly, it can obtain a C&C IP address from a DNS TXT record of a hardcoded C&C domain by querying Google’s DNS server. ### CONCLUSION Gamaredon significantly extended its cyberespionage capabilities by introducing multiple new tools to its arsenal throughout 2022 and 2023. These new tools are developed mainly in PowerShell, which has definitely become the language of choice for the group. Despite these numerous additions, the technical sophistication of the tools has hardly increased and the tools remain rather simple and straightforward with the focus on getting things done. Rather than innovating new stealth methods, Gamaredon continues to rely on heavy obfuscation, frequent updates, and pre-deployment testing against security products. Given the high volume of unique samples produced daily, all three aforementioned aspects are probably automated to some extent. The group demonstrated resourcefulness by employing various techniques to evade network-based detections, leveraging third-party services such as Telegram, Cloudflare, and ngrok. Despite occasional attempts to compromise other countries, Gamaredon’s primary focus remains Ukraine, and we anticipate this trend will continue without significant shifts in targeting. ----- ### IOCS #### Files In this section, we only provide one example for each tool or variant. All IoCs were already provided in the MISP events published with private ESET Threat Intelligence reports throughout 2022 and 2023. SHA-1 Filename Detection Description `DF1C0A70E7A02B839AB3` PteroX – a VBScript general-purpose VBS/Pterodo.AEV `AAC3FC410E61EEFB58EB` [N/A ] downloader. `B50F10BBDB49BE6D868B` PteroBleed – steals the IndexedDB PowerShell/Pterodo.FR `09F3E1DD6C78D58D8E89` [N/A ] database from various browsers. ``` 0879644944178645498E ``` PowerShell/Pterodo.GA Downloader of PteroBleed. `20EB4F59F2A8F128255D` [N/A ] `82123C17117EF235F3B5` PteroCDrop – dropper with various C Win32/Pterodo.CEZ `7D0C5572C861E3ED7173` [N/A ] or VBScript payloads. `5720FFDF9D9CD649445C` PteroClone – uses rclone to download PowerShell/Pterodo.GC `BC12844E2B587622643A` [N/A ] the next stage. ``` 55CD3FB7D1FDE8694411 ``` PowerShell/Pterodo.GA Downloader of PteroClone. `54573C9C62D93E0570E0` [N/A ] ``` F05874C1B908FDEF4B9A ``` PowerShell/Pterodo.FY PteroCookie – cookie stealer. `F2B084E3D813595A12C9` [N/A ] ``` CEA83C1AF6736484A172 ``` PowerShell/Pterodo.GA Downloader of PteroCookie. `F7A3B876427CDF276473` [N/A ] `FEA57A486EB4BDAC5E7D` PteroDash – a VBScript generalVBS/Pterodo.AFA `59C9958C42293A5ABE12` [N/A ] purpose downloader. ``` 1AEAE7A567C71200BA80 ``` PowerShell/Pterodo.FF PteroDig – LNK weaponizer. `4801C4CEC227D2B64414` [N/A ] ``` A3260C3314DF25DBF336 ``` PowerShell/Pterodo.GK Downloader of PteroDig. `9B7C516BD9D4C1B4B1E4` [N/A ] `B2B58CEF19546B2D2284` PteroDoc – Word document VBS/Pterodo.VE `B2EB5F22B6D8FDB94D4E` [N/A ] weaponizer. `AC17FD08A3987CC91DFD` PteroGram – steals data that belongs PowerShell/Pterodo.FT `6649BA3DABE8A9671305` [N/A ] to the Telegram Desktop application. ----- SHA-1 Filename Detection Description `945A50678E6E9AA29370` PowerShell/TrojanDownlo Downloader of PteroGram. `7E4F41E9BC81B9098BC5` [N/A ] ader.Agent.GBK `AB7C5C7CD6F75B1D0A7A` Downloader of PowerShell version of VBS/Pterodo.SC `D29176A254055BE5356E` [N/A ] PteroLNK. `866E874CFF4EAD298899` Downloader of the VBScript version of VBS/Pterodo.SL `24AA02630E68AE252B55` [N/A ] PteroLNK. `49CF239AB2EBD04CAFDC` PowerShell version of PteroLNK – USB PowerShell/Pterodo.FC `EC07FBB0C1C1A43E8C02` [N/A ] drive weaponizer. `801A9B08987977692223` PowerShell version of PteroLNK – USB PowerShell/Pterodo.GN `B7105DEC8B21B9D9749E` [N/A ] drive weaponizer. `44C720AE508F448263A8` PowerShell version of PteroLNK – USB PowerShell/Pterodo.GN `3CAC26775D6709DFBBDD` [N/A ] drive weaponizer. `E537DEAF3A77C5C0F0B9` PowerShell version of PteroLNK – USB PowerShell/Pterodo.GN `F8A12FF5995DD24CD259` [N/A ] drive weaponizer. `7793282401B134077E70` VBScript version of PteroLNK – USB VBS/Pterodo.PS `217B55B0C4B45850D119` [N/A ] drive weaponizer. ``` 0FA9303ED739A3C6A76C ``` PowerShell/Pterodo.JJ Downloader of PteroPSDoor variant 1. `EF4517B9ADB60C73CA80` [N/A ] ``` A3C21F9A493A05F9428E ``` PowerShell/Pterodo.GA Downloader of PteroPSDoor variant 2. `8F5FE5AF7F0C2BF67F95` [N/A ] ``` 821362A484908E93F8BA ``` Win32/Pterodo.BUD PteroPSDoor variant 1 version 7051. `748B600665AE6444303D` [N/A ] ``` 66049304E03AB624167B ``` Win32/Pterodo.BUD PteroPSDoor variant 1 version 7052. `68501202A254E9ADD060` [N/A ] ``` BA5F7E2FA9BE1CB3FC7A ``` PowerShell/Pterodo.GS PteroPSDoor variant 1 version 7208. `E113F41C36E4F2C464B6` [N/A ] ``` 742E34BA21650ECB0B7E ``` PowerShell/Pterodo.BY PteroPSDoor variant 2 version 7111. `F33F786641F0BE823BE8` [N/A ] `4F915541291120AA1001` PteroPSLoad – PowerShell PowerShell/Agent.BGU `23C1C93FA7DE78F46A3F` [N/A ] downloader. ----- SHA-1 Filename Detection Description `025E3D88C53FC12D5A4A` PteroPSLoad – PowerShell VBS/Pterodo.TX `AB726E696F2815BAC84D` [N/A ] downloader. `D5576E578518E474A5DF` PteroPSLoad – PowerShell PowerShell/Pterodo.FD `F654C44AB3EC4A6E4ECF` [N/A ] downloader. `28F4F0367C2BB0574C8A` PteroPSLoad – PowerShell PowerShell/Pterodo.AV `7D1B9C3E71E6AC678300` [N/A ] downloader. `E0BD8855159CB708789C` PteroPSLoad – PowerShell PowerShell/Pterodo.GE `4DE183E107C5C117FBA1` [N/A ] downloader. `9E30DFFDB88DD3ADFAB4` PteroPSLoad – PowerShell PowerShell/Pterodo.DX `CD5C67A98336C4BF9504` [N/A ] downloader. `224B18E531E511CEA284` PowerShell/TrojanDownlo `9D9A3B9CF5AD502AFECC` [N/A ] ader.Agent.EMF PteroPSLoad – PowerShell downloader. `6D694B73A2C497F16EB9` PteroPSLoad – PowerShell PowerShell/Agent.GT `B5CCA883658397FFBEDF` [N/A ] downloader. `B08305C557692619B9D0` PteroPSLoad – PowerShell Win32/Pterodo.BTM `EAF5B58A8B91858CF4D5` [N/A ] downloader. `B99D4724077B0A2CBEEE` PteroPSLoad – PowerShell PowerShell/Pterodo.AV `38332C05F3D4171C9DCC` [N/A ] downloader. `13BA279D8602FEE7CEDE` PteroPSLoad – PowerShell PowerShell/Pterodo.AV `152B6A9148CD9D2F6662` [N/A ] downloader. ``` 8C9BFF48805537B41717 ``` VBS/Pterodo.TT Downloader of PteroPSLoad. `BE78B1BE2A72DFC2A5D1` [N/A ] `E2FEEE0B92819AC7FCA8` PteroPShell – PowerShell reverse PowerShell/Pterodo.GH `5CFE3DC37750834F0990` [N/A ] shell. ``` BED97E0CFEDA1588FF12 ``` PowerShell/Pterodo.GA Downloader of PteroPShell. `B392E0B5502DB50DE768` [N/A ] `47A03EBB9798A8DF7EC8` Win32/TrojanDownloader. `212134D418E937B449E9` [N/A ] Pterodo.A PteroPowder – downloads and executes a PowerShell payload. `A93503BBB613F084ADD3` PteroRisk – a VBScript generalVBS/Pterodo.OD `38B9FA2EEE466BF3A2D6` [N/A ] purpose downloader. ----- SHA-1 Filename Detection Description `2B9B0AD0B65BB6101704` PteroSand – a VBScript generalVBS/Pterodo.ABV `684CD339E946FAE2DCFA` [N/A ] purpose downloader. ``` 2416DFC031CF0D05054D ``` PowerShell/Pterodo.GO `5BEB9739CBA6470FE585` [N/A ] PteroScout – gathers and exfiltrates various information about the compromised system. ``` 8C79BB8EB97E774FFCEC ``` PowerShell/Pterodo.GL Downloader of PteroScout. `66C64F5CC8A11ED6C693` [N/A ] ``` BA2366ED4E83FFC6DEC4 ``` PowerShell/Pterodo.BQ PteroScreen – screen capturing tool. `89C9011FE181CE169A47` [N/A ] `C42FE320A800F7C4AE97` PowerShell/TrojanDownlo Downloader of PteroScreen. `D0FDC6A1BBD91D57E75D` [N/A ] ader.Agent.HOI `2CDB1DA4DF1A33E379C2` PteroSig – steals database that PowerShell/Pterodo.FR `F24DD6A05709F4848CB6` [N/A ] belongs to the Signal application. ``` D37C80782FBEEE2035FB ``` PowerShell/Pterodo.GA Downloader of PteroSig. `B196D6A6443B4BE05B4C` [N/A ] ``` D58BFB39969F28698F90 ``` PowerShell/KillAV.AH PteroSocks – SOCKS proxy. `BF2E8782057E2F83C2DF` [N/A ] ``` 7CA1ADF40BA850D12B95 ``` PowerShell/Pterodo.GA Downloader of PteroSocks. `259CBD2626562E17670C` [N/A ] ``` 8A2261D8C8111D2D9927 ``` PowerShell/Pterodo.EG PteroSteal – credential stealer. `6575120B9EA65D0AEAEA` [N/A ] ``` 5E34D44D6B39ED1F9772 ``` PowerShell/Pterodo.GK Downloader of PteroSteal. `9184101185D368F2B6CE` [N/A ] `16FD6CBA3F13CC5B195C` PteroTemplate – Word template VBS/Pterodo.NM `D6C0DD33BBF08CD0FE39` [N/A ] weaponizer. `9A6B36E6CAD9156EA6E0` PteroTemplate – Word template VBS/Pterodo.XX `9DE740D3F1CCB6816F87` [N/A ] weaponizer. ``` 9E40CC45CBC9625EC190 ``` VBS/Pterodo.OC PteroVDoor version 6004. `711D2790359A6198DB37` [N/A ] ``` 0FD02B12517221F71A4A ``` VBS/Pterodo.ACF PteroVDoor version 6005. `3774630C05643EE59988` [N/A ] ----- SHA-1 Filename Detection Description `596613AF85EE703858DB` VBS/TrojanDownloader.Ag Downloader of PteroVDoor. `96C570C6C0283EAA19C6` [N/A ] ent.ZEK `9B6EF236D9DC758336F1` Stage 1 of PteroVDoor download VBS/Pterodo.FE `D89268822F8611C8B973` [N/A ] chain. `CB9712BED15723973171` Stage 2 of PteroVDoor download VBS/Pterodo.XR `192DA17946BF6778D98D` [N/A ] chain. `04F1ED3050D6B2527D61` Stage 2 of PteroVDoor download VBS/Pterodo.LS `96DFF5845B10510D0C2F` [N/A ] chain. ``` 5BEFC01A3771E6115122 ``` VBS/Pterodo.OC ReVBShell – VBScript reverse shell. `4E18F926226FF7FD4A40` [N/A ] `0B5402397306F702D006` Remote template downloaded by Win32/Pterodo.CBG `BC18A473DAC5CD33540B` [N/A ] PteroDoc. `F2D8F72F8FAA81AF02D3` Remote template downloaded by VBA/Pterodo.BS `1C5A93DFEA71E33DE0D9` [N/A ] PteroTemplate. #### Network The network IoCs provided here are only C&C servers extracted from selected samples, provided as examples and not an exhaustive list of all C&C servers that we have encountered over the past years. The complete lists of network IoCs are provided in MISP events of private ESET Threat intelligence reports that we publish periodically. Note that IP addresses could not be automatically resolved from the domains for two possible reasons: the domains had already expired or they have been resolved without a subdomain, which cannot be done anymore as explained in the Network infrastructure section. IP Domain Hosting provider First seen Details Gamaredon C&C N/A `corolain[.]ru` N/A 2021-11-11 server. Gamaredon C&C N/A `goloser[.]ru` N/A 2022-01-20 server. Gamaredon C&C N/A `retarus[.]ru` N/A 2022-01-20 server. Gamaredon C&C N/A `hulortad[.]ru` N/A 2022-05-06 server. ----- IP Domain Hosting provider First seen Details Gamaredon C&C N/A `login.kifales[.]ru` N/A 2022-12-02 server. Gamaredon C&C N/A `hakold[.]ru` N/A 2022-12-15 server. Gamaredon C&C N/A `amasiyagi[.]ru` N/A 2023-02-07 server. Gamaredon C&C `67.205.160[.]237` N/A DigitalOcean, LLC 2023-04-11 server. Gamaredon C&C N/A `absorbeni[.]ru` N/A 2023-05-09 server. Gamaredon C&C `80.90.181[.]107` N/A TimeWeb Ltd. 2023-05-22 server. Gamaredon C&C `185.163.45[.]5` N/A MivoCloud SRL 2023-06-12 server. Gamaredon C&C N/A `rieturc[.]ru` N/A 2023-06-20 server. Gamaredon C&C `5.181.156[.]109` N/A MivoCloud SRL 2023-06-21 server. Gamaredon C&C `188.166.247[.]34` N/A DigitalOcean, LLC 2023-06-21 server. `194.180.191[.]30` N/A MivoCloud Administrator, ORG-MS569-RIPE Gamaredon C&C 2023-06-30 server. Gamaredon C&C N/A `opela[.]ru` N/A 2023-07-10 server. Gamaredon C&C `159.223.152[.]63` N/A DigitalOcean, LLC 2023-07-10 server. Gamaredon C&C N/A `marginisbi[.]ru` N/A 2023-07-11 server. Gamaredon C&C N/A `tolofa[.]ru` N/A 2023-08-04 server. ----- IP Domain Hosting provider First seen Details `212.18.104[.]56` N/A `89.23.107[.]188` N/A GLOBAL INTERNET SOLUTIONS LLC GLOBAL INTERNET SOLUTIONS LLC Gamaredon C&C 2023-08-04 server. Gamaredon C&C 2023-08-11 server. Gamaredon C&C `5.252.178[.]140` N/A MivoCloud SRL 2023-08-16 server. `141.98.233[.]17` N/A `185.225.19[.]16` N/A GLOBAL INTERNET SOLUTIONS LLC MivoCloud Administrator, ORG-MS569-RIPE Gamaredon C&C 2023-08-17 server. Gamaredon C&C 2023-08-18 server. Gamaredon C&C `209.97.165[.]187` N/A DigitalOcean, LLC 2023-08-18 server. Gamaredon C&C `91.200.148[.]232` N/A TimeWeb Ltd. 2023-08-24 server. Gamaredon C&C N/A `havxcq[.]ru` N/A 2023-08-30 server. Gamaredon C&C `164.92.115[.]188` N/A DigitalOcean, LLC 2023-08-30 server. Gamaredon C&C server. `89.185.84[.]204` N/A GLOBAL INTERNET SOLUTIONS LLC 2023-0906 Gamaredon C&C `159.203.14[.]8` N/A DigitalOcean, LLC 2023-09-07 server. `46.29.234[.]46` N/A GLOBAL INTERNET SOLUTIONS LLC Gamaredon C&C 2023-09-18 server. Gamaredon C&C `161.35.106[.]28` N/A DigitalOcean, LLC 2023-09-18 server. ----- IP Domain Hosting provider First seen Details Gamaredon C&C `144.126.218[.]218` N/A DigitalOcean, LLC 2023-09-20 server. Gamaredon C&C N/A `statuesque[.]ru` N/A 2023-09-25 server. `195.133.88[.]128` N/A GLOBAL INTERNET SOLUTIONS LLC Gamaredon C&C 2023-09-29 server. Gamaredon C&C N/A `fritopa[.]ru` N/A 2023-09-30 server. Gamaredon C&C `165.227.208[.]207` N/A DigitalOcean, LLC 2023-09-30 server. Gamaredon C&C `89.19.209[.]154` N/A TimeWeb Ltd. 2023-10-02 server. Gamaredon C&C N/A `lokalut[.]ru` N/A 2023-10-09 server. Gamaredon C&C `143.198.160[.]45` N/A DigitalOcean, LLC 2023-10-16 server. Gamaredon C&C N/A `consentesto[.]ru` N/A 2023-10-23 server. `167.172.139[.]39` N/A RIPE-NCC LEGACY-MNT, ORG-NCC1-RIPE Gamaredon C&C 2023-10-23 server. Gamaredon C&C `185.163.47[.]177` N/A MivoCloud SRL 2023-11-01 server. Gamaredon C&C `89.185.84[.]141` `www.toorisugita[.]ru` N/A 2023-11-02 server. Gamaredon C&C `68.183.2[.]92` N/A DigitalOcean, LLC 2023-11-02 server. Gamaredon C&C N/A `dfgqdsd[.]ru` N/A 2023-11-09 server. Gamaredon C&C N/A `youdad[.]ru` N/A 2023-11-27 server. ----- IP Domain Hosting provider First seen Details Gamaredon C&C N/A `loturam[.]ru` N/A 2023-12-04 server. Gamaredon C&C N/A `nikortal[.]ru` N/A 2023-12-06 server. Gamaredon C&C N/A `nododru[.]ru` N/A 2023-12-20 server. `62.133.62[.]73` N/A GLOBAL INTERNET SOLUTIONS LLC Gamaredon C&C 2023-12-20 server. ### MITRE ATT&CK TECHNIQUES This table was built using version 15 of the MITRE ATT&CK framework. Tactic ID Name Description Gamaredon registers domains for its C&C servers. Gamaredon rents servers for its C&C infrastructure. Gamaredon develops its own custom malware. Gamaredon uses various open-source tools like ReVBShell and Cloudflare Tunnel client. Gamaredon sends spearphishing emails with malicious attachments. PteroLNK weaponizes USB drives to move laterally. Gamaredon uses PowerShell to execute payloads. Resource Development Initial Access Acquire Infrastructure: _[T1583.001](https://attack.mitre.org/versions/v15/techniques/T1583/001)_ Domains Acquire Infrastructure: _[T1583.003](https://attack.mitre.org/versions/v15/techniques/T1583/003)_ Virtual Private Server Develop Capabilities: _[T1587.001](https://attack.mitre.org/versions/v15/techniques/T1587/001)_ Malware Obtain Capabilities: _[T1588.002](https://attack.mitre.org/versions/v15/techniques/T1588/002)_ Tool Phishing: _[T1566.001](https://attack.mitre.org/versions/v15/techniques/T1566/001)_ Spearphishing Attachment Replication Through _[T1091](https://attack.mitre.org/versions/v15/techniques/T1091)_ Removable Media Execution _[T1059.001](https://attack.mitre.org/versions/v15/techniques/T1059/001)_ Command and Scripting Interpreter: PowerShell ----- Tactic ID Name Description _[T1059.005](https://attack.mitre.org/versions/v15/techniques/T1059/005)_ _[T1559.001](https://attack.mitre.org/versions/v15/techniques/T1559/001)_ Command and Scripting Interpreter: Visual Basic Inter-Process Communication: Component Object Model _[T1106](https://attack.mitre.org/versions/v15/techniques/T1106)_ Native API Scheduled Task/Job: _[T1053.005](https://attack.mitre.org/versions/v15/techniques/T1053/005)_ Scheduled Task User Execution: _[T1204.001](https://attack.mitre.org/versions/v15/techniques/T1204/001)_ Malicious Link User Execution: _[T1204.002](https://attack.mitre.org/versions/v15/techniques/T1204/002)_ Malicious File Windows Management _[T1047](https://attack.mitre.org/versions/v15/techniques/T1047)_ Instrumentation Boot or Logon Gamaredon uses VBScript to execute payloads. PteroPSLoad uses the COM object ``` MSScriptControl.ScriptControl.1 to ``` execute VBScript payloads. PteroCDrop uses the WinAPI ``` CreateProcess to execute VBScript ``` payloads. PteroClone creates a scheduled task to execute the rclone utility when certain conditions are met. Gamaredon uses LNK files in its spearphishing campaigns. Gamaredon uses HTA files in its spearphishing campaigns. PteroLNK uses WMI to discover connected USB drives. Downloader of PteroPSDoor variant 1 uses the Startup directory for persistence. PteroSand achieves persistence by setting the UserInitMprLogonScript registry key. PteroTemplate inserts a VBA macro into the Normal.dotm template to achieve persistence. PteroPSLoad creates a scheduled task for persistence. PteroSand uses base64 to decode downloaded payloads. Autostart Execution: Registry Run Keys / Startup Folder Boot or Logon Initialization Scripts: Logon Script (Windows) Office Application Startup: Office Template Macros Persistence _[T1547.001](https://attack.mitre.org/versions/v15/techniques/T1547/001)_ _[T1037.001](https://attack.mitre.org/versions/v15/techniques/T1037/001)_ _[T1137.001](https://attack.mitre.org/versions/v15/techniques/T1137/001)_ Scheduled Task/Job: _[T1053.005](https://attack.mitre.org/versions/v15/techniques/T1053/005)_ Scheduled Task Deobfuscate/Decode Defense Evasion _[T1140](https://attack.mitre.org/versions/v15/techniques/T1140)_ Files or Information ----- Tactic ID Name Description Hide Artifacts: Hidden _[T1564.001](https://attack.mitre.org/versions/v15/techniques/T1564/001)_ PteroLNK creates hidden files. Files and Directories Impair Defenses: _[T1562.001](https://attack.mitre.org/versions/v15/techniques/T1562/001)_ Disable or Modify Tools Indicator Removal: File _[T1070.004](https://attack.mitre.org/versions/v15/techniques/T1070/004)_ Deletion PteroSocks disables AMSI by calling the method AmsiUtils.Uninitialize. PteroPSDoor deletes staged files after successful exfiltration. Gamaredon creates registry keys with benign-looking names. PteroLNK creates files with so-called double extensions .docx.lnk and ``` .rtf.lnk. ``` _[T1036.004](https://attack.mitre.org/versions/v15/techniques/T1036/004)_ Masquerading: Masquerade Task or Service Masquerading: Double _[T1036.007](https://attack.mitre.org/versions/v15/techniques/T1036/007)_ File Extension PteroDoc modifies the registry to disable _[T1112](https://attack.mitre.org/versions/v15/techniques/T1112)_ Modify Registry Word macro security. Gamaredon uses HTML smuggling in its spearphishing campaigns. PteroCDrop drops an embedded payload. Gamaredon uses base64 to encode PowerShell commands. PteroDig installs itself into the Registry. Gamaredon obfuscates strings in payloads. Gamaredon uses mshta.exe to execute HTA files. _[T1027.006](https://attack.mitre.org/versions/v15/techniques/T1027/006)_ _[T1027.009](https://attack.mitre.org/versions/v15/techniques/T1027/009)_ _[T1027.010](https://attack.mitre.org/versions/v15/techniques/T1027/010)_ _[T1027.011](https://attack.mitre.org/versions/v15/techniques/T1027/011)_ _[T1027.013](https://attack.mitre.org/versions/v15/techniques/T1027/013)_ Obfuscated Files or Information: HTML Smuggling Obfuscated Files or Information: Embedded Payloads Obfuscated Files or Information: Command Obfuscation Obfuscated Files or Information: Fileless Storage Obfuscated Files or Information: Encrypted/Encoded File System Binary Proxy _[T1218.005](https://attack.mitre.org/versions/v15/techniques/T1218/005)_ Execution: Mshta PteroDoc inserts references to malicious _[T1221](https://attack.mitre.org/versions/v15/techniques/T1221)_ Template Injection remote templates into Word documents. ----- Tactic ID Name Description Execution Guardrails: _[T1480.001](https://attack.mitre.org/versions/v15/techniques/T1480/001)_ Environmental Keying Credentials from _[T1555.003](https://attack.mitre.org/versions/v15/techniques/T1555/003)_ Password Stores: Credentials from Web Browsers Credential Access Discovery _[T1518.001](https://attack.mitre.org/versions/v15/techniques/T1518/001)_ Steal Web Session _[T1539](https://attack.mitre.org/versions/v15/techniques/T1539)_ Cookie Unsecured Credentials: _[T1552.002](https://attack.mitre.org/versions/v15/techniques/T1552/002)_ Credentials in Registry PteroX uses the volume serial number from a compromised system as an XOR key for payloads. PteroSteal gathers and exfiltrates credentials stored by various browsers. PteroCookie gathers and exfiltrates cookies stored by various browsers. PteroSteal gathers and exfiltrates Outlook credentials stored in the registry. PteroPSDoor searches for files with specific file extensions. PteroScout enumerates installed software. PteroScout exfiltrates the output of the ``` systeminfo command. ``` PteroLNK can move laterally via weaponized USB drives. PteroPSDoor exfiltrates files with specific file extensions from a compromised system. PteroPSDoor exfiltrates files with specific file extensions from mapped network drives. PteroPSDoor exfiltrates files with specific file extensions from connected USB drives. PteroPSDoor stages files prior to exfiltration. File and Directory _[T1083](https://attack.mitre.org/versions/v15/techniques/T1083)_ Discovery Software Discovery: Security Software Discovery System Information _[T1082](https://attack.mitre.org/versions/v15/techniques/T1082)_ Discovery Lateral Replication Through _[T1091](https://attack.mitre.org/versions/v15/techniques/T1091)_ Movement Removable Media Data from Local _[T1005](https://attack.mitre.org/versions/v15/techniques/T1005)_ System Collection Data from Network _[T1039](https://attack.mitre.org/versions/v15/techniques/T1039)_ Shared Drive Data from Removable _[T1025](https://attack.mitre.org/versions/v15/techniques/T1025)_ Media Data Staged: Local _[T1074.001](https://attack.mitre.org/versions/v15/techniques/T1074/001)_ Data Staging PteroScreen captures and exfiltrates _[T1113](https://attack.mitre.org/versions/v15/techniques/T1113)_ Screen Capture screenshots. ----- Tactic ID Name Description _[T1071.001](https://attack.mitre.org/versions/v15/techniques/T1071/001)_ Application Layer Protocol: Web Protocols Data Encoding: _[T1132.001](https://attack.mitre.org/versions/v15/techniques/T1132/001)_ Standard Encoding Dynamic Resolution: _[T1568.001](https://attack.mitre.org/versions/v15/techniques/T1568/001)_ Fast Flux DNS Gamaredon uses HTTP and HTTPS protocols for C&C communication. PteroCookie uses base64 to encode data prior to exfiltration. Gamaredon uses fast flux DNS for its C&C infrastructure. Command and Control Exfiltration PteroPSLoad obtains the C&C IP address _[T1008](https://attack.mitre.org/versions/v15/techniques/T1008)_ Fallback Channels from a Telegram channel. _[T1105](https://attack.mitre.org/versions/v15/techniques/T1105)_ Ingress Tool Transfer Non-Application Layer _[T1095](https://attack.mitre.org/versions/v15/techniques/T1095)_ Protocol PteroClone uses the rclone utility to download payloads from MEGA cloud storage. PteroPShell uses the TCP protocol for C&C communication. PteroSocks serves as a reverse SOCKS _[T1090](https://attack.mitre.org/versions/v15/techniques/T1090)_ Proxy proxy server. Web Service: Dead _[T1102.001](https://attack.mitre.org/versions/v15/techniques/T1102/001)_ Drop Resolver Exfiltration Over C2 _[T1041](https://attack.mitre.org/versions/v15/techniques/T1041)_ Channel PteroPSLoad obtains its C&C IP address from the telegra.ph service. PteroPSDoor exfiltrates files over the C&C channel. PteroClone exfiltrates data to the MEGA cloud storage. _[T1567.002](https://attack.mitre.org/versions/v15/techniques/T1567/002)_ Exfiltration Over Web Service: Exfiltration to Cloud Storage -----