Gamaredon Group Exploits Infected Drives to Undermine Western Military Operations in Ukraine
September 7, 2021.
Method of Attack: Infected Removable Drives
As per the team’s comprehensive investigation, Gamaredon has further escalated its cyber warfare capabilities by infecting removable drives.
The threat actor used this method to bypass most traditional network defenses, exploiting the human error element and physical security weak links.
Upon insertion, the infected removable drives deliver a Powershell script.
The script verifies if the device is connected to the targeted network.
On verification, the script executes the malware, GammaSteel, delivery process.
New Variant of GammaSteel
GammaSteel, a .NET Rat, has seen an evolution in its arsenal.
The malware now leverage the BITS protocol (Background Intelligent Transfer Service) protocol to maintain persistence and for command and control purposes.
BITS is commonly used in Windows OS to transfer files, allowing GammaSteel to get around firewalls and network defenses.
Implications of the Breach
The consequences of the breach are far-reaching and worryingly effective.
Not only does GammaSteel allow for file uploads and downloads, it is equipped for running arbitrary commands on the compromised systems and to capture screenshots – a fierce set of tools for espionage.
Remediation and Protection
The Symantec team advises network and cybersecurity professionals to educate employees about the risks of using unknown removable drives and to continually update and strengthen network defenses.
In response to this attack, Symantec’s Threat Hunter has updated protection services, providing coverage against GammaSteel.
Enterprises should also consider incorporating Endpoint Detection and Response (EDR) solutions to identify and mitigate these types of attacks.
EDR solutions analyze endpoint data and look for indicators of compromise (IoCs) to respond to threats in real-time.
Conclusion
Events like these remind us of the necessity of constant vigilance and continuous improvement of our cybersecurity defenses.
The constantly evolving threat landscape requires innovative responses that address not just digital, but also physical security concerns.
