← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Russian-Backed Gamaredon's Spyware Variants
WHITE BITSecurity 2023-02-02 Modified: 2023-03-04
173
IOCs
HIGH VOLUME
"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns." GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands. The goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the "insistent" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a "key cyber threat."
appdatapublicuserprofilegetrandomusernameoutstringnullnol nopxorbytenewobjecttoolsmsctfmonitorpathpowershell
Indicators of Compromise (40 / 173 total)
All FileHash-MD5 FileHash-SHA256 URL domain hostname FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
URL http://138.197.199.151/get.php 2023-02-02
URL http://138.197.199.151/get.php' 2023-02-02
URL http://139.59.166.152/get.php 2023-02-02
URL http://144.202.61.174/get.php 2023-02-02
URL http://157.245.99.132/get.php 2023-02-02
URL http://159.203.11.73/get.php 2023-02-02
URL http://178.62.108.75/get.php 2023-02-02
URL http://192.241.133.108/get.php 2023-02-02
URL http://194.180.174.73/1.txt 2023-02-02
URL http://194.180.174.73/1.txt' 2023-02-02
URL http://194.180.174.73/pswd.php 2023-02-02
URL http://45.77.196.211/get.php 2023-02-02
URL http://45.77.237.252/get.php 2023-02-02
URL http://66.42.102.21/get.php 2023-02-02
URL http://70.34.218.135/get.php 2023-02-02
URL http://atlantar.ru/get.php 2023-02-02
URL http://dnslookup.seowebchecker.com/ 2023-02-02
URL http://lover.printing82.detroito.ru/DESKTOP-P5BRFLE/luncheon.nab 2023-02-02
URL http://motoristo.ru/get.php 2023-02-02
URL http://motoristo.ru/get.php' 2023-02-02
URL http://www.portcheckers.com/dns-lookup 2023-02-02
URL http://bugiplaysec.com/fjasmngptwq214.php 2023-02-02
URL http://bugiplaysec.com/fjasmngptwq214.php' 2023-02-02
URL http://bugiplaysec.com/ssu.gov.ua/ 2023-02-02
URL http://ocspdep.com/ssu.gov.ua/ 2023-02-02
URL http://troadsecow.com/ 2023-02-02
URL http://troadsecow.com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_.php 2023-02-02
URL http://troadsecow.com/76bja21412/c6bd801d882333fdb93dd17308b3e2de3a78cc05_1.php 2023-02-02
URL http://troadsecow.com/cbzc.policja.gov.pl 2023-02-02
URL http://troadsecow.com/fjasmngptwq95824s.php 2023-02-02
URL http://troadsecow.com/fjasmngptwq95824s.php' 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/fx64g15g.xml 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/usersfolders/%SID%/59948e7126a2927a53af0593f85dad2f5ae5c6e0.php 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/usersfolders/%SID%/62d4677fcf600ac0c4933bd80dec255868827e00.php 2023-02-02
URL http://troadsecow.com/gkaslnwqpasg/usersfolders/%SID%/9f5fe4bab163de5eedb995beed21c75578284fa4.php 2023-02-02
URL http://troadsecow.com/lg5362s5215098-xvbxzcnsaf4lmsa.php 2023-02-02
URL http://troadsecow.com/lg5362s5215098-xvbxzcnsaf4lmsa.php?idu=%SID% 2023-02-02
URL http://troadsecow.com/mfa.gov.ua/ 2023-02-02
URL http://troadsecow.com/mfa.gov.ua/downloadapp.php 2023-02-02
URL http://troadsecow.com/policja.gov.pl 2023-02-02
References (2)
↗ https://cert.gov.ua/article/1229152 ↗ https://cert.gov.ua/article/3761023