Threat Hunting Rules: Gamaredon Group Behavior

[post-views]
August 17, 2020 · 2 min read
Threat Hunting Rules: Gamaredon Group Behavior

The Gamaredon group appeared in 2013 and at first, did not use custom malware, but over time developed a number of cyber espionage tools, including Pterodo and EvilGnome malware. In recent months, the group has been actively sending phishing emails with documents containing malicious macros that download a multitude of different malware variants. The Gamaredon group uses very simple tools written on different programming languages that are designed to collect sensitive data on attacked systems and to spread malware across the compromised organization’s network. 

Unlike most state-sponsored cyber espionage units, the Gamaredon group does not hesitate to use “noisy” tools that are capable of downloading and deploying additional malware that could be far stealthier. Typically, the threat actor tries to infect as many systems as possible and steal confidential files as quickly as possible before the IT Security department detects and responds to an incident. Therefore, quickly discovering group tools is critical and you can use the community threat hunting rule released by Ariel Millahuel to uncover Gamaredon group behavior and stop their activity before sensitive data is exfiltrated: https://tdm.socprime.com/tdm/info/2pyW5Obof5YW/1QlL7HMBSh4W_EKGSZ86/?p=1



The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Microsoft Defender ATP, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Persistence

Techniques: Office Application Startup (T1137)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
PyVil RAT by Evilnum Group
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
JSOutProx RAT
Blog, Latest Threats — 2 min read
JSOutProx RAT
Eugene Tkachenko