Gamaredon Group  (Back to overview)

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.

---

Associated Families

---

References

2020-02-05 ⋅ SentinelOne ⋅ Vitali Kremez @online{kremez:20200205:prorussian:4fab984, author = {Vitali Kremez}, title = {{Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting}}, date = {2020-02-05}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/}, language = {English}, urldate = {2020-02-09} } Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting Pteranodon

2019-09-10 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel @online{strangerealintel:20190910:gamaredon:282777f, author = {StrangerealIntel}, title = {{Gamaredon Analysis}}, date = {2019-09-10}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon}, language = {English}, urldate = {2020-01-09} } Gamaredon Analysis Gamaredon Group

2019-07-17 ⋅ Intezer ⋅ Paul Litvak @online{litvak:20190717:evilgnome:0874eda, author = {Paul Litvak}, title = {{EvilGnome: Rare Malware Spying on Linux Desktop Users}}, date = {2019-07-17}, organization = {Intezer}, url = {https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/}, language = {English}, urldate = {2020-01-10} } EvilGnome: Rare Malware Spying on Linux Desktop Users EvilGnome

2019-02-07 ⋅ ThreatStop ⋅ John Bambenek @online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group Pteranodon

2019-01-07 ⋅ Vitali Kremez @online{kremez:20190107:lets:07f4941, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'}}, date = {2019-01-07}, url = {https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html}, language = {English}, urldate = {2020-01-07} } Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512' Pteranodon

2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:gamaredon:982ecc4, author = {MITRE ATT&CK}, title = {{Group description: Gamaredon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047/}, language = {English}, urldate = {2019-12-20} } Group description: Gamaredon Group Gamaredon Group

2018-11-15 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo Pteranodon

2018-09-03 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } Bulk mailing of spyware like Pterodo Pteranodon

2017-02-27 ⋅ Palo Alto Networks Unit 42 ⋅ Anthony Kasza, Dominik Reichel @online{kasza:20170227:gamaredon:a88c3f8, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution}, language = {English}, urldate = {2019-12-20} } The Gamaredon Group Toolset Evolution Gamaredon Group

2017-02-27 ⋅ Palo Alto Networks Unit 42 ⋅ Anthony Kasza, Dominik Reichel @online{kasza:20170227:gamaredon:322eb5f, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2019-12-20} } The Gamaredon Group Toolset Evolution Pteranodon

2017-02-27 ⋅ Palo Alto Networks Unit 42 ⋅ Anthony Kasza, Dominik Reichel @online{kasza:20170227:gamaredon:3d28d34, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2020-01-09} } The Gamaredon Group Toolset Evolution Gamaredon Group

2016-06-25 ⋅ NSHC ⋅ NSHC Threatrecon Team @online{team:20160625:sectorc08:84b8f56, author = {NSHC Threatrecon Team}, title = {{SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine}}, date = {2016-06-25}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/}, language = {English}, urldate = {2020-01-07} } SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine Pteranodon

2015-04-28 ⋅ LookingGlass ⋅ LookingGlass @techreport{lookingglass:20150428:operation:68a342f, author = {LookingGlass}, title = {{Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare}}, date = {2015-04-28}, institution = {LookingGlass}, url = {https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf}, language = {English}, urldate = {2020-01-13} } Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare Gamaredon Group

---

Credits: MISP Project