# Network Footprints of Gamaredon Group **blogs.cisco.com/security/network-footprints-of-gamaredon-group** Onur Mustafa Erdogan May 12, 2022 _Below research is reflecting our observations during month of March 2022. We also would like to thank Maria Jose Erquiaga for_ _her contribution in introduction and support during the process of writing._ ## Overview As the Russian-Ukrainian war continues over conventional warfare, cybersecurity professionals witnessed their domain turning into a real frontier. Threat actors picking sides [1], group members turning against each other [2], some people handing out DDoS tools [3], some people blending in to turn it into profit [4], and many other stories, proving that this new frontier is changing daily, and its direct impact is not limited to geographical boundaries. While attacks seem to be evolving daily, it is challenging for one to stay up to date with all that is going around. Therefore, we believe that it is important to distinguish between information and actionable intelligence. In Cisco Global Threat Alerts, we would like to share our observations related to this conflict during March of 2022 and discover how we can turn them into actionable intelligence together. ## Threat Actors in the Russian-Ukrainian Conflict Since the rapid escalation of the conflict in 2022, security researchers and analysts have been gathering information regarding the adversarial groups, malware, techniques, and types of attacks implemented [1, 5, 6]. Some of the groups and malware related to the conflict are described in Table 1: **Threat Actor** **Malware** **Location** Gamaredon [7] Pteranodon [8] Crimea Sandworm [9] CyclopsBlink [10] Russia WizardSpider [11] Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] Russia Table 1: Threat actors and their relations ## Gamaredon ----- Gamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an advanced persistent threat (APT) based in Russia. Their activities can be traced back as early as 2013, prior to Russia’s annexation of the Crimean Peninsula. They are known to target state institutions of Ukraine and western government entities located in Ukraine. Ukrainian officials attribute them to Russian Federal Security Service, also known as FSB [17]. Gamaredon often leverages malicious office files, distributed through spear phishing as the first stage of their attacks. They are known to use a PowerShell beacon called PowerPunch to download and execute malware for ensuing stages of attacks. Pterodo and QuietSieve are popular malware families that they deploy for stealing information and various actions on objective [18]. We were able to collect network IoC’s related to Gamaredon infrastructure. During our initial analysis, most of the indicators were not attributed directly to any specific malware and they were rather listed as part of Gamaredon’s infrastructure. Therefore, we wanted to analyze their infrastructure to understand their arsenal and deployment in greater detail. ## Network Infrastructure The first part of this research is focused on WHOIS record analysis. We observed that Gamaredon domains were dominantly registered by REG[.]RU. Creation dates are going back as early as February 2019 and have a changing pattern for the registrant email. Until August 2020, we observed that message-yandex.ru@mail[.]ru was the main registrant email. Later, it shifted to macrobit@inbox[.]ru, mixed with the occasional usage of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Domain creation dates in some of the WHOIS records are as recent as March 2022. Other than WHOIS information, the domains we observed that were related to Gamaredon campaigns had a distinguishing naming convention. While dataset consisted of domain names (without TLDs) varying between 4 to 16 characters, 70% percent of them were between 7 to 10 characters. Combined with a limited group of top-level domains (TLDs) used (see Table 2), this leads us to a naming pattern for further attribution. Additionally, the usage of TLDs on domain creation seems to be rotating. **TLD** **Distribution** **TLD Usage** online 42.07% 08/2020-02/2021,02/2022 xyz 29.47% 06/2022-08/2022, 02/2022-03/2022 ru 14.22% 08/2020, 05/2021-02/2022 site 8.94% 07/2020-02/2021 space 2.64% 02/2019-06/2020 Table 2: TLD distribution and time in use In the case of domain resolutions, we aimed to analyze the distribution of autonomous system numbers (ASN) used by resolved IP addresses (see Table 3). Once more, the owner REG[.]RU is leading the list, owning most of the domains. TimeWeb was the second this time, with 28% of the domains we found to be related to Gamaredon activities. Domains having ‘. online’ and ‘.ru’ TLDs are regularly updating their IP resolutions, almost daily. **Owner** **ASN** **Popular Networks** **Distribution** REG.RU, Ltd AS197695 194.67.71.0/24 194.67.112.0/24 194.58.100.0/24 194.58.112.0/24 194.58.92.0/24 89.108.81.0/24 TimeWeb Ltd. AS9123 185.104.114.0/24 188.225.77.0/24 188.225.82.0/24 94.228.120.0/24 94.228.123.0/24 45.93% 28.25% EuroByte LLC AS210079 95.183.12.42/32 10.56% AS-CHOOPA AS20473 139.180.196.149/32 5.08% ----- LLC Baxet AS51659 45.135.134.139/32 91.229.91.124/32 2.23% System Service Ltd. AS50448 109.95.211.0/24 1.82% Table 3: Distribution of IP addresses per ASN and owner ## Tooling After understanding the infrastructure, let’s proceed with their arsenal. We looked at associated file samples for the domains through Umbrella and Virustotal. A sample of the results can be seen below. Referring to a file type, we can see that the Gamaredon group prefers malicious office documents with macros. Also, they are known to use Pterodo, which is a constantly evolving custom backdoor [8, 18]. **Domain** **Hash** **Type** **Malware** acetica[.]online 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52 Office Open XML Document arvensis[.]xyz 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f Office Open XML Document email-smtp[.]online 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83 Office Open XML Document gurmou[.]site f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b Office Open XML Document mail-check[.]ru 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4 Office Open XML Document office360expert[.]online 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608 Office Open XML Document Groooboor Groooboor Groooboor Groooboor Groooboor Groooboor Macro enabled Word Trojan Macro enabled Word Trojan Macro enabled Word Trojan Macro enabled Word Trojan achilleas[.]xyz f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d Office Open XML Document anisoptera[.]online 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad MS Word Document erythrocephala[.]online 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573 Office Open XML Document hamadryas[.]online 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418 Office Open XML Document ----- intumescere[.]online 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360 MS Word Document limosa[.]online 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f MS Word Document mesant[.]online 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a MS Word Document sufflari[.]online 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36 MS Word Document apusa[.]xyz 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029 Win32 DLL Macro enabled Word Trojan Macro enabled Word Trojan Macro enabled Word Trojan Macro enabled Word Trojan Pterodo atlanticos[.]site f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 VBA Pterodo barbatus[.]online 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc VBA Pterodo bitsadmin2[.]space cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b Win32 EXE bitsadmin3[.]space 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f Win32 EXE Pterodo Pterodo bonitol[.]online 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf VBA Pterodo buhse[.]xyz aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492 Office Open XML Document calendas[.]ru 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286 Win32 EXE coagula[.]online c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f MS Word Document corolain[.]ru 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82 Win32 EXE gorigan[.]ru 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 Win32 EXE gorimana[.]site 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273 MS Word Document krashand[.]ru 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a Win32 EXE libellus[.]ru 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3 Win32 EXE melitaeas[.]online 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6 Office Open XML Document mullus[.]online 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc Win32 EXE upload-dt[.]hopto[.]org 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7 MS Word Document Pterodo Pterodo Pterodo Pterodo Pterodo Pterodo Pterodo Pterodo Pterodo Pterodo Pterodo ----- Table 4: Domains, files (hash and type), and malware name associated to the Gamaredon group After reviewing the behaviors of the associated malicious samples, it is easier to build attribution between the malicious domain and the corresponding sample. IP addresses resolved by the domain are later used to establish raw IP command and control (C2) communication with a distinguishing URL pattern. The following example shows how **1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and uses its IP address** to build a C2 URL (http|https/). Therefore, DNS and outgoing web traffic is crucial for its detection. Figure 1: IP address resolutions of gorigan[.]ru Figure 2: URL connections to resolved IP addresses (source: Virustotal) ## Detecting Gamaredon Activity with Global Threat Alerts In Cisco Global Threat Alerts, we are tracking the Gamaredon group under the Gamaredon Activity threat object. The threat description is enriched with MITRE references (see Figure 3). ----- Figure 3: Threat description of Gamaredon activity, including MITRE techniques and tactics (source: Cisco Global Threat Alerts) Figure 4 shows a detection sample of Gamaredon activity. Observe that the infected device attempted to communicate with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which seemed to be sinkholed to the OpenDNS IP address of 146.112.61. [.]107. Figure 4: Gamaredon group detection example (source: Cisco Global Threat Alerts) ## Conclusion We’ve walked through the steps of producing intelligence from information we’ve collected. We began our analysis with an unattributed list of network IoC’s and were able to identify unique patterns in their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware families. Next, we showed how we turned it into a detection of the Gamaredon group displayed in the Cisco Global Threat Alerts portal. For your convenience, here’s a summary of the intelligence we developed in this blog post: **Aliases** Primitive Bear, Shuckworm, ACTINIUM **Type** Threat Actor **Originating From** Russia **Targets** Ukranian State Organizations **Malware used** Pterodo, Groooboor **File Type** Macro enabled office files, Win32 Exe, VBA **TLD’s used** .online, .xyz, .ru, .site, .space **ASN’s used** REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd. ## References [1] Cyber Group Tracker: [https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-](https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff) d667afd5afff [2] Conti ransomware’s internal chats leaked after siding with Russia: https://www.bleepingcomputer.com/news/security/contiransomwares-internal-chats-leaked-after-siding-with-russia/ [3] Hackers sound call to arms with digital weapon aimed at Russian websites: https://cybernews.com/news/hackers-sound-callto-arms-with-digital-weapon-aimed-at-russian-websites/ [4] Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools: [https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html](https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html) [[5] Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations](https://github.com/curated-intel/Ukraine-Cyber-Operations) [6] What You Need to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russiancyber-escalation-in-ukraine/ [7] Gamaredon: [https://attack.mitre.org/groups/G0047/](https://attack.mitre.org/groups/G0047/) [[8] Pteranodon: https://attack.mitre.org/software/S0147/](https://attack.mitre.org/software/S0147/) ----- [9] Sandworm: [https://attack.mitre.org/groups/G0034/](https://attack.mitre.org/groups/G0034/) [[10] Threat Advisory: Cyclops Blink: https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html](https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html) [[11] Wizard Spider: https://attack.mitre.org/groups/G0102/](https://attack.mitre.org/groups/G0102/) [12] Cobalt Strike: [https://attack.mitre.org/software/S0154](https://attack.mitre.org/software/S0154) [13] Emotet: [https://attack.mitre.org/software/S0367](https://attack.mitre.org/software/S0367) [14] Conti: [https://attack.mitre.org/software/S0575](https://attack.mitre.org/software/S0575) [15] Ryuk: [https://attack.mitre.org/software/S0446](https://attack.mitre.org/software/S0446) [16] TrickBot: [https://attack.mitre.org/software/S0446](https://attack.mitre.org/software/S0446) [17] Technical Report Gamaredon/Armageddon group: [https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf](https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf) [18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainianorganizations/ _We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!_ **Cisco Secure Social Channels** Share: -----