Love and Hate Under War: GamaCopy Mimics Russian Gamaredon with Military-Themed Cyberattacks

In the shadow of the ongoing Russia-Ukraine conflict, cyber warfare has taken center stage as state-sponsored and independent threat actors exploit geopolitical tensions. One such group, dubbed GamaCopy, has emerged as a mimic of the notorious Russian APT group Gamaredon. By using military-themed baits and open-source tools, GamaCopy has launched targeted cyberattacks on Russian entities, creating a sophisticated and deceptive false flag operation.

This article delves into the tactics, techniques, and procedures (TTPs) of GamaCopy, their overlap with Gamaredon, and actionable steps to mitigate such threats.

GamaCopy: A New Player with Familiar Tactics

What is GamaCopy?

GamaCopy, first discovered in mid-2023, operates by mimicking the attack patterns of Gamaredon, a Russian-linked APT group known for targeting Ukraine. However, unlike Gamaredon, which primarily uses Ukrainian-language baits, GamaCopy employs Russian-language bait documents.

Key Characteristics of GamaCopy Attacks:

1. Military-Themed Bait: GamaCopy uses sensitive documents related to Russian military facilities to lure targets.
2. 7z Self-Extracting Files: Malicious payloads are delivered using 7z SFX archives, disguising the final executable as legitimate files.
3. Open-Source Tool Exploitation: GamaCopy deploys the UltraVNC remote desktop tool, renaming it to resemble system processes like OneDrivers.exe.
4. False Flag Strategy: By mimicking Gamaredon’s TTPs, GamaCopy obfuscates its origin and complicates attribution.

Anatomy of a GamaCopy Attack

Step 1: Bait Delivery

Attackers distribute documents purporting to contain classified information about Russian military deployments.

Step 2: Payload Execution

The documents are packaged in 7z self-extracting archives. Upon execution, these files deploy a script that obfuscates its actions, making static analysis difficult.

Step 3: Remote Control with UltraVNC

The main executable, OneDrivers.exe, is a reconfigured UltraVNC tool that connects to a command-and-control (C2) server over port 443.

Step 4: False Attribution

By imitating Gamaredon’s signature methods, such as using UltraVNC and 7z-SFX archives, GamaCopy creates confusion, diverting attention from its true origins.

Attribution Analysis: GamaCopy vs. Gamaredon

1. Bait Language: Gamaredon predominantly uses Ukrainian-language baits, while GamaCopy targets Russian speakers.
2. Port Usage: Gamaredon frequently uses port 5612 for C2 communications, whereas GamaCopy prefers port 443.
3. Code Overlap: While there are structural similarities, key differences in script behavior and payload execution distinguish GamaCopy from Gamaredon.

Indicators of Compromise (IOCs)

Hashes:

• c9ffc90487ddcb4bb0540ea4e2a1ce040740371bb0f3ad70e36824d486058349
• a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53
• f583523bba0a3c27e08ebb4404d74924b99537b01af5f35f43c44416f600079e

Command-and-Control Servers:

• nefteparkstroy.ru:443
• fmsru.ru:443

10 Best Practices to Prevent Similar Cyber Threats

1. Regularly Update Software: Ensure all applications and operating systems are patched to the latest versions.
2. Strengthen Email Security: Use advanced spam filters and anti-phishing solutions.
3. Educate Staff: Train employees to recognize phishing attempts and suspicious attachments.
4. Restrict Access: Limit access to critical systems using role-based permissions and IP whitelisting.
5. Monitor Network Traffic: Deploy intrusion detection systems (IDS) to flag unusual activities.
6. Audit System Logs: Regularly review logs for signs of unauthorized access or suspicious actions.
7. Leverage Threat Intelligence: Subscribe to cybersecurity threat feeds to stay informed about emerging threats.
8. Use Multi-Factor Authentication (MFA): Add an extra layer of security to critical accounts.
9. Deploy Endpoint Protection: Use solutions that detect and mitigate malware before it executes.
10. Perform Penetration Testing: Regularly assess your systems for vulnerabilities.

Conclusion

The rise of GamaCopy underscores the evolving nature of cyber warfare, where mimicry and deception are tools for obfuscation. By targeting Russia using Gamaredon’s TTPs, GamaCopy exploits the fog of war to further its objectives.

For cybersecurity professionals, the takeaway is clear: vigilance and proactive defenses are paramount. Organizations must stay informed, adopt robust security measures, and collaborate globally to mitigate such sophisticated threats.

Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, LinkedIn and YouTube for the latest threats, insights, and updates!