"Russian Hackers Target Ukraine with Default Word Template Hijacker"

Analysts tracking cyberattacks against Ukraine report that the notorious Russian state-backed hacking group called Gamaredon is still heavily targeting the country. Gamaredon, also known as Armageddon or Shuckworm, is a group of Russian hackers believed to be part of the FSB's 18th Center of Information Security. Since 2014, the threat group has been targeting Ukraine and is believed to be responsible for thousands of attacks on key public and private entities in the country. Since the Russian invasion in February 2022, it has increased its activity against Ukrainian targets, including phishing attacks and the deployment of novel malware variants. According to a Symantec report, Gamaredon's activity has continued in the sixth month of the war, with the most recent wave of attacks occurring between July 15 and August 8, 2022. The latest infection vector involves phishing messages containing a self-extracting 7-Zip archive that fetches an XML file from an "xsph.ru" subdomain associated with Gamaredon. The XML file executes a PowerShell information-stealer, of which Symantec discovered several slightly modified variants. Furthermore, the Russian hackers used VBS downloaders to obtain the Pterodo backdoor, one of Gamaredon's trademark tools, as well as the Giddome backdoor in some cases. Adversaries can use these backdoors to record audio using the host's microphone, take screenshots from the desktop, log and exfiltrate keystrokes, or download and execute additional ".exe" and ".dll" payloads. In the most recent campaign, hackers were seen using legitimate Remote Desktop Protocol (RDP) tools. None of these tactics are novel, emphasizing Gamaredon's lack of sophistication, which the threat group compensates for through persistence and continuous targeting. This article continues to discuss Gamaredon's recent attacks on Ukraine. 

Bleeping Computer reports "Russian Hackers Target Ukraine with Default Word Template Hijacker"