#Gamaredon_2x0820

1. #IOC #OptiData #VR #Gamaredon #templateinjection #OOXML #VBA
2.  
3. https://pastebin.com/HUKPF31d
4.  
5. previous_contact:
6. 18/11/19 https://pastebin.com/Vhb4KF5L
7.  
8. FAQ:
9. https://radetskiy.wordpress.com/2019/11/19/ioc_gamaredon_181119/
10. https://www.malcrawler.com/russias-gamaredon-group-new-cyber-espionage-campaign-against-ukraine/
11. https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html
12. https://whotippedmycows.com/gamaredon-targets-ukraine-using-cve-2017-0199/
13. https://malpedia.caad.fkie.fraunhofer.de/actor/gamaredon_group
14.  
15. attack_vector
16. --------------
17. email attach .docx > settings.xml.rels > GET .dot > VBA macro > GET exe (RECON)
18.  
19. email_headers
20. --------------
21. n/a
22.  
23. IOC`s from National Security and Defense Council of Ukraine (RNBO):
24. https://www.rnbo.gov.ua/ua/Diialnist/4669.html
25. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
26.  
27. files
28. --------------
29. SHA-256 f35a137f830a335a558e11d0521564af6d5098f3553f5b6ae4a12b697ae53ef4
30. File name Оперативне зведення.docx
31. File size 28.17 KB (28842 bytes)
32.  
33. SHA-256 4bb156f4503ab179dc2b21c7ccebb09356ed5cffc991ddd2317651d6c899bee6
34. File name Оперативне зведення.docx [Office Open XML Document]
35. File size 28.17 KB (28843 bytes)
36.  
37. SHA-256 45445987ba4fe3031f1d1d0b50b85e1f577bc270b8ca711ebd5fff70b82d228c
38. File name Оперативне зведення.docx [Office Open XML Document]
39. File size 28.17 KB (28841 bytes)
40.  
41. activity
42. --------------
43. PL_SCR http://document.freedynamicdns.org/lib/boot/jknjfk.dot
44. http://document.freedynamicdns.org/var/backups/JKAdYI.dot
45. http://document.freedynamicdns.org/www/mail/WVCHiQ.dot
46.  
47. IPs:
48. --------------
49. 141.8.196.176
50. 141.8.196.56
51. 141.8.192.31
52.  
53. Domains:
54. --------------
55. document.freedynamicdns.org
56. sekuso.freedynamicdns.org
57.  
58. netwrk
59. --------------
60. [http]
61. 141.8.192.31 OPTIONS /lib/cache/ Microsoft Office Protocol Discovery
62. 141.8.192.31 HEAD /lib/cache/HzcGQt.dot Microsoft Office Existence Discovery
63. 141.8.192.31 OPTIONS /lib/cache Microsoft-WebDAV-MiniRedir/6.1.7601
64.  
65. IOC`s from McAfee Advanced Threat Research (ATR Team):
66. https://www.mcafee.com/enterprise/en-us/threat-center/advanced-threat-research.html
67. * * * * * * * * * * * * * * * * * * * * * * * * * * *
68. Summary:
69. --------------
70. The campaig includes OOXML documents with embedded VBA macros, RAR archives with LNK files (VBS files were observed too), as well as RAR archives exploiting CVE-2018-202502.
71. The initial phishing email and the attached lures will download an intermediate reconnaissance payload. After the intermediate reconnaissance step, traditional SFX archives used and delivered in order to retrieve the final malware family. Sometimes this delivery happens hours after the opening of the phishing lure.
72.  
73. So, the campaign uses:
74. Hosting at Russian providers, with Dynamic DNS domains provided by NO-IP, or domains registered with the .xyz, .website, .site, .space, and .ru top-level domains
75. Delivery of payloads using Self-Extractible Archives containing batch scripts and other resources
76.  
77. Attention!
78. Exfiltration of BIOS manufacturer and version, username, computer name, NTFS serial volume and running network monitoring processes before sending next-stage payloads
79.  
80. IPs:
81. --------------
82. 141.8.198.56
83. 205.185.216.42
84. 83.166.242.158
85. 142.93.110.250
86. 141.8.196.56
87. 188.225.57.152
88.  
89. Domains:
90. --------------
91. mishail.freedynamicdns.org
92. inform.3utilities.com
93. inform.bounceme.net
94. inform.gotdns.ch
95. kasim.freedynamicdns.org
96. history.freedynamicdns.org
97. mishel.freedynamicdns.org
98. ncio.freedynamicdns.net
99. kasting.freedynamicdns.org
100. validat.freedynamicdns.org
101. polits.freedynamicdns.org
102. malofid.freedynamicdns.org
103. myristica.ru
104.  
105. Files SHA-256:
106. --------------
107. 021824a648e03939373f60f9915f38b57e5d562f57500017283814e9e5de60a7
108. 30916ee605899226d8eb5ad03b00834dc8c8cb494302d841b09daea429d3cd93
109. 42403c430e24e38866f5eb0f17d62432edcd988d6902e825fc4b93d1b280befb
110. 569652ef84fdb29255587de7b25a475420930c40c41fa5e21b7613173b4439fa
111. 693b4d811d4839e92f7dd8974c057bc1b6d57d50bb5ef6e49c4a365564ef99e7
112. 6f4bd7871477ac3867126b82cfb3d9627e62b6a9d1a4d41a20bae733e18a33d7
113. 75f2b3a6007d13f7a5d1c6ad37b91e53b1b74c4baa64dadb8a7e22dfbc174cd1
114. 885c89c79cbfd9fe360ae6b456bd42f0b388e45c3bf9b414778b6f098f5056a5
115. 8e598335d0de4438b80d8e5b63a6929d16ca67e2a5f6c567e84ea5152c5f9b15
116. c846f757dc48b9ae437fe52dd8953e11074fcc3974c281924c9b44e4c642f48a
117. d9358c588774722d8367ae6038e2eba11a9e5b88f28fb23d139a0ad04d1d0c2b
118. e3462a0a5bd1e37419ebc46872cc0f1d2718cfcf3d05ecdeba7e4016cbc08e32
119. 0f2b6b4ed61f0f54bf5333ca3879d3c31f214d2d386920dbba18cff1d90ec2c1
120. 2589167e23bc288f04c3bd3cf735c4df52bad4633d20c94ebaff12f99405eccd
121. 25dcfb64c72f4b8ba1ed4cf6a48810cacb94cc36df0335153d1a8ea9c75e98ac
122. eaa1abf1dd367634f144117d567f5a871eb90193b7a9110b97b3b4fd73a04ad1
123. 3bc65ce73726ffe17df6c65638d2b0833da0f221049a32af243184642dbc4fac
124. 93da58d5cbbfdaf29dfa9ebcaf100457c657b9477db14bc0e7084196c96c694a
125. aa4aa3e57f2fdce6f26baca6aedda8cb173bee9589a716f6818ed3b6062930be
126. fe934cbb46e88f252ad327ac4735839afbf3b493378fecb7e1dcee961ff12d7c
127. 6618185dd0fb9363d5dfeb6a8f32ed2e74418fb378f2b0726afd5198c6991255
128.  
129. persist
130. --------------
131. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
132.  
133. drop
134. --------------
135. %APPDATA\Microsoft\Windows\FILE.vbs
136. %USERPROFILE%\Downloads\FILE.vbs
137.  
138. # # #
139. https://www.virustotal.com/gui/file/f35a137f830a335a558e11d0521564af6d5098f3553f5b6ae4a12b697ae53ef4/details
140. https://www.virustotal.com/gui/file/4bb156f4503ab179dc2b21c7ccebb09356ed5cffc991ddd2317651d6c899bee6/details
141. https://www.virustotal.com/gui/file/45445987ba4fe3031f1d1d0b50b85e1f577bc270b8ca711ebd5fff70b82d228c/details
142.  
143.  
144. VR
145.