Description
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia's Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)
Techniques Used (TTPs)
- T1491.001 — Internal Defacement (impact)
- T1583.003 — Virtual Private Server (resource-development)
- T1001 — Data Obfuscation (command-and-control)
- T1534 — Internal Spearphishing (lateral-movement)
- T1047 — Windows Management Instrumentation (execution)
- T1083 — File and Directory Discovery (discovery)
- T1119 — Automated Collection (collection)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1027.004 — Compile After Delivery (defense-evasion)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1021.005 — VNC (lateral-movement)
- T1027.016 — Junk Code Insertion (defense-evasion)
- T1218.011 — Rundll32 (defense-evasion)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1082 — System Information Discovery (discovery)
- T1059.005 — Visual Basic (execution)
- T1113 — Screen Capture (collection)
- T1005 — Data from Local System (collection)
- T1039 — Data from Network Shared Drive (collection)
- T1608.001 — Upload Malware (resource-development)
- T1102.003 — One-Way Communication (command-and-control)
- T1112 — Modify Registry (defense-evasion, persistence)
- T1016.001 — Internet Connection Discovery (discovery)
- T1559.001 — Component Object Model (execution)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1025 — Data from Removable Media (collection)
- T1221 — Template Injection (defense-evasion)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1204.001 — Malicious Link (execution)
- T1080 — Taint Shared Content (lateral-movement)
- T1106 — Native API (execution)
- T1561.001 — Disk Content Wipe (impact)
- T1033 — System Owner/User Discovery (discovery)
- T1564.003 — Hidden Window (defense-evasion)
- T1070.004 — File Deletion (defense-evasion)
- T1059.001 — PowerShell (execution)
- T1588.002 — Tool (resource-development)
- T1020 — Automated Exfiltration (exfiltration)
- T1071.001 — Web Protocols (command-and-control)
- T1583.001 — Domains (resource-development)
- T1568.001 — Fast Flux DNS (command-and-control)
- T1120 — Peripheral Device Discovery (discovery)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1027 — Obfuscated Files or Information (defense-evasion)
- T1057 — Process Discovery (discovery)
- T1027.010 — Command Obfuscation (defense-evasion)
- T1204.002 — Malicious File (execution)
- T1568 — Dynamic Resolution (command-and-control)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1480 — Execution Guardrails (defense-evasion)
- T1059.003 — Windows Command Shell (execution)
- T1218.005 — Mshta (defense-evasion)
- T1137 — Office Application Startup (persistence)
- T1102 — Web Service (command-and-control)
Total TTPs: 55
Malware & Tools
Malware: PowerPunch, Pteranodon, QuietSieve