GamaCopy mimics the Russian Gamaredon APT and launches attacks against Russian-speaking targets

Recently, the Knownsec 404 Advanced Threat Intelligence Team analyzed an attack campaign targeting Russian-speaking targets. The attackers used military-themed lure documents, 7z self-extracting files (SFX) as payloads, and utilized UltraVNC for remote control, mimicking the tactics, techniques, and procedures (TTPs) of the Russian Gamaredon APT organization. Researchers linked this activity to the APT organization Core Werewolf (also known as Awaken Likho, PseudoGamaredon) because it mimicked Gamaredon, and therefore named it GamaCopy.

GamaCopy has been active since August 2021 and was discovered in June 2023. The organization mainly targets Russia's defense and infrastructure sectors, mimicking Gamaredon's TTPs.

The Knownsec 404 Advanced Threat Intelligence team pointed out in the report: "By tracing the source of the samples, we associate them with the Core Werewolf organization, which has repeatedly attacked Russia. It is well known that there is another interesting pair of APT attack organizations in South Asia, namely SideWinder and SideCopy, which have an intertwined relationship. The discovered attack activity imitates the Gamaredon organization targeting Ukraine, therefore, it can be named GamaCopy."

GamaCopy's attack methods and characteristics

Researchers noted that other security vendors had previously attributed multiple similar historical samples to the Gamaredon organization. GamaCopy deceived some security vendors that did not conduct in-depth analysis through successful false flag operations.

The attack chain starts with a 7-Zip self-extracting (SFX) file that releases the payload, including a batch script to install UltraVNC and display the lure PDF. The attacker renamed the UltraVNC executable file to "OneDrivers.exe" in an attempt to mimic Microsoft's OneDrive binary file to evade detection.

The lure documents used in the GamaCopy attacks mainly revolve around military facilities, reflecting the theme of the Russia-Ukraine conflict. However, unlike Gamaredon's use of Ukrainian language lures, GamaCopy targets Russian users.

Researchers' assessment of GamaCopy

The report concludes: "From the perspective of code similarity, language use in lure documents, and port assets, it is more inclined to attribute the discovered attack samples to the GamaCopy organization. Since its exposure, this organization has frequently mimicked the TTPs of the Gamaredon organization and cleverly used open-source tools as cover, confusing the public while achieving its own goals."

The Knownsec 404 team also released intrusion indicators (IoCs) for this attack activity.

Reference source: