Threat Hunting Rules: Gamaredon Group Behavior

The Gamaredon group appeared in 2013 and at first, did not use custom malware, but over time developed a number of cyber espionage tools, including Pterodo and EvilGnome malware. In recent months, the group has been actively sending phishing emails with documents containing malicious macros that download a multitude of different malware variants. The Gamaredon group uses very simple tools written on different programming languages that are designed to collect sensitive data on attacked systems and to spread malware across the compromised organization’s network. 

Unlike most state-sponsored cyber espionage units, the Gamaredon group does not hesitate to use “noisy” tools that are capable of downloading and deploying additional malware that could be far stealthier. Typically, the threat actor tries to infect as many systems as possible and steal confidential files as quickly as possible before the IT Security department detects and responds to an incident. Therefore, quickly discovering group tools is critical and you can use the community threat hunting rule released by Ariel Millahuel to uncover Gamaredon group behavior and stop their activity before sensitive data is exfiltrated: https://tdm.socprime.com/tdm/info/2pyW5Obof5YW/1QlL7HMBSh4W_EKGSZ86/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Microsoft Defender ATP, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Persistence

Techniques: Office Application Startup (T1137)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.