Recently the Microsoft Threat Intelligence Center (MSTIC) shared on Microsoft Security blog it’s report on ACTINIUM, a threat group that has been targeting Ukrainian organizations for almost a decade.
“As with any observed nation-state actor activity, Microsoft directly notifies customers of online services that have been targeted or compromised, providing them with the information they need to secure their accounts,” goes in the post by MSTIC.
The group persistently tried to obtain access to the organizations in Ukraine or entities related to Ukrainian affairs. MSTIC previously identified ACTINIUM activity as DEV-0157. On the world stage the group is more known by the name Gamaredon.
What is Gamaredon/ ACTINIUM?
The research focuses on the group’s recent six months activity providing details into what tools threat actors use and how they deploy them. According to MSTIC observance the group appears to be operating from the currently occupied by Russia Crimean peninsula. The Ukrainian government publicly stated that the Russian Federal Security Service (FSB) is behind this group’s activity.
ACTINIUM has been targeting organizations in Ukraine including military, government,non-government organizations (NGO),law enforcement, judiciary and many non profit organizations. The primary intentions of the group is to exfiltrate sensitive information while also maintaining access into related organizations. Microsoft shared the information in the report with Ukrainian authorities.
Since October 2021 ACTINIUM has targeted or compromised numerous accounts at organizations that are critical to emergency response and ensure the security of Ukrainian territory. Threat actors also make their target the organizations that would provide humanitarian and international aid to Ukraine in a crisis.
The specialists from the MSTIC say that the activity of this threat group is significantly different from those detected previously malware attacks by DEV-0586. The team observed that the group’s activity only relates to organizations within Ukraine and doesn’t exploit any unpatched vulnerabilities in Microsoft products and services.
MSTIC also notes that Gamaredon/ ACTINIUM tactics are constantly evolving and those described in the blog don’t cover the full scope of attacks by this threat group. Those covered by the MSTIC team are only some of the most consistent and notable observations.
Gamaredon/ACTINIUM activity description
One of the methods that group uses to get the initial access is the spear phishing of the targeted victims. The emails sent by a group contain malicious macro attachments that subsequently employ remote templates.
Remote template injection is a method of causing a document to load a remote document template that contains the malicious code, in this case, macros. This method ensures that the victim only loads the malicious content when it is needed for threat actors. When a user opens the malicious document, for example.
The deployment of such a method also allows attackers to successfully evade detection by systems that scan for malicious content. In addition, malicious macros give attackers an opportunity to control when and how the malicious component is delivered. This further enables the threat group to evade detection.
From what MSTIC observed this threat group disguises their malicious emails as those sent by legitimate organizations. In some examples provided by the MSTIC they masqueraded the emails to be sent purportedly from World Health Organizations.
In addition to the macros threat group also use web bugs to track when a message has been opened and changed. These bugs are not malicious by themselves but they can give a hint that the received email may be malicious. The Gamaredon/ ACTINIUM macros attachments contain a first-stage payload that downloads and executes further payloads.
For the specialists it was unclear though why in some cases there were multiple subsequent stages. MSTIC assume that it may be done in order to provide possiblity that fully-featured malicious capability less likely would be detected by detection systems.
Threat group maintains persistence and gathers intelligence
MSTIC concluded that the main purposes of the group activity is monitoring and gathering sensitive information from the accessed networks. To conduct the next steps the threat group first deploys interactive access tools; the most widely known from them and with the most developed features will be “Pterodo” .
Another example will include UltraVNC, a legitimate and fully-featured open-source remote desktop application. It allows the threat group to easily interact with a target host. The fact that the threat group doesn’t rely on custom binaries ensures for the application not to be detected or deleted by security products.
After gaining interactive access to the targeted network threat group deploy next the wide variety of malware. MSTIC has analyzed the malware examples and grouped them into following malware families:Pterodo,PowerPunch,ObfuMerry,ObfuBery,DilongTrash,DesertDown,DinoTrain,QuietSieve.
What are the signs of Gamaredon/ ACTINIUM malicious presens?
For the Microsoft customers the team prepared advices on how to detect this threat group activity.
Those concerning emails will be next:
- Malware was not zapped because ZAP is disabled;
- Detected and blocked malware campaign;
- Detected malware campaign after delivery;
- Reported by user as malware or phish email;
- Removed after delivery email message;
- Removed after delivery email message that contained malware;
- Removed after delivery email message that contained malicious file.
The above mentioned security alerts should indicate threat activity associated with this threat group. However the alerts may not be necessarily related to the Gamaredon/ ACTINIUM. The team provided them in case they happen users should immediately investigate the cause considering the severity of the group’s activity consequences.
Alerts in the security center that will also point at this group activity include:
- Suspicious looking process that transfers data to some external network;
- Staging of sensitive data;
- Dubious screen capture activity;
- An uncommon file created and added to a Run Key;
- An abnormal scheduled task created;
- Odd dynamic link library loaded;
- Abnormal process executing encoded command.
The list also included various activities concerning suspicious execution of a file.