By Hiroyuki Kakara and Erina Maruyama
Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. Their campaigns are generally known for targeting Ukrainian government institutions. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group’s activities.
In March, we came across an email with a malware attachment that used the Gamaredon group’s tactics. Some of the emails used the coronavirus pandemic as a topic to lure victims into opening emails and attachments. These campaigns targeted victims in European countries and others.
A brief history of Gamaredon
In 2015, researchers from LookingGlass published the first report on Gamaredon. According to that report, the early campaigns used Microsoft Word documents that, when inspected, showed that its most recent user went by the name of Armagedon (a misspelled “Armageddon”), which became the basis of the group’s namesake.
The report also described Gamaredon’s political beginnings, particularly its ties to the Ukrainian revolution in 2014. Before the revolution they had targeted Ukrainian government officials, opposition party members, and journalists. They moved on to Ukrainian government institutions after the revolution. In 2018, CERT-UA published an advisory against the malware Pterodo, which the group allegedly used.
The group remained active, with several Gamaredon-related activities reported in February 2020. In March, they were among the threat groups that were identified taking advantage of the coronavirus pandemic to trick targets.
