Ukraine has been facing escalating cyberattacks from Russian state-sponsored hacking group Gamaredon, also known as Shuckworm or Armageddon, since Russia's invasion began six months ago, with the latest wave of attacks reported from July 15 to Aug. 8, according to BleepingComputer.
Gamaredon's latest attacks involved the use of phishing messages with a self-extracting 7-Zip archive that facilitates the retrieval of an XML file that prompts PowerShell info-stealer execution, a report from Symantec revealed. Moreover, the Pterodo and Giddome backdoors retrieved through VBS downloaders have also been leveraged by Gamaredon to enable audio recording, screenshot capturing, and keystroke logging and exfiltration, as well as additional payload execution.
Remote desktop protocol tools AnyDesk and Ammyy Admin have also been launched in the latest campaign, researchers found. The findings follow the disclosure of Ukraine's Computer Emergency Response Team regarding a novel Gamaredon phishing operation involving the use of compromised email accounts for HTM attachment delivery.