A newly identified threat actor, dubbed GamaCopy, has been discovered emulating the tradecraft of the Kremlin-linked Gamaredon hacking group in cyber espionage operations against Russian-speaking entities.
Who Is GamaCopy?
The GamaCopy threat cluster has been linked to another hacking group called Core Werewolf, also known as Awaken Likho or PseudoGamaredon. These actors have shown a consistent pattern of exploiting military-themed content as bait to deploy malicious tools like UltraVNC, enabling remote access to compromised systems.
Tactical Mimicry of Gamaredon
According to the Knownsec 404 Advanced Threat Intelligence team, GamaCopy replicates the Tactics, Techniques, and Procedures (TTPs) of the Gamaredon group, which is notorious for its attacks against Ukraine.
A recent report revealed that GamaCopy uses self-extracting (SFX) archive files created with 7-Zip to initiate its attack chain. These files deliver malicious payloads, including a batch script that installs UltraVNC while displaying a decoy PDF document to mislead victims.
To further evade detection, the UltraVNC executable is disguised as "OneDrivers.exe," mimicking a legitimate Microsoft OneDrive binary.
Overlap With Core Werewolf
GamaCopy's activities share significant overlaps with Core Werewolf campaigns. Key similarities include:
- Use of 7z-SFX files to distribute and execute UltraVNC.
- Leveraging port 443 for secure server connections.
- Employing the EnableDelayedExpansion command for scripting.
This operational overlap underscores the group's strategic use of open-source tools to obfuscate their true intent and confuse attribution efforts.
Broader Context in Cyber Espionage
The rise of GamaCopy adds to a growing list of threat actors targeting Russian entities amidst the ongoing Russo-Ukrainian conflict. Other groups such as Sticky Werewolf (also known as PhaseShifters), Venture Wolf, and Paper Werewolf have been active in this space, illustrating the complex and evolving cyber threat landscape.
Final Thoughts
GamaCopy exemplifies a new breed of cyber espionage actors leveraging familiar tools and tactics to infiltrate high-value targets while masking their true origins. This development highlights the urgent need for organizations to adopt robust threat intelligence and cyber defense measures to mitigate risks from such sophisticated campaigns.