This most active APT group in Ukraine doesn’t try to be stealthy and relies on extensive obfuscation, constant switching between C&C servers, and regular updates of its arsenal with new malware and other tools at a rapid pace, as depicted in the image below. 2/9

#Gamaredon’s initial attack involves #spearphishing and then, for lateral movement, custom malware weaponizes existing and new Word documents and USB drives, which are hoped to be shared among potential victims. Word docs are weaponized either by #PteroTemplate or #PteroDoc. 3/9

#PteroTemplate weaponizes the default Word template (Normal.dotm) on an already compromised system, by injecting a malicious VBA macro into it – weaponizing all new and existing docs based on the default template. 4/9

#PteroDoc weaponizes all Word docs on its file system by attaching a reference to a malicious remote template to them. USB drives connected to a compromised system can be weaponized either by VBScript or PowerShell versions of #PteroLNK. 5/9

Both #PteroLNK versions repeatedly attempt to detect connected USB drives to drop LNK files and in some cases also a copy of PteroLNK onto them. Such LNK files have intriguing file names (e.g., pornography, mobilization) to motivate potential victims into opening them. 6/9

Of the numerous infostealers we discovered, #PteroSig exfiltrates data stored by the Signal desktop app in an SQLite database, which contains sensitive information, such as sent and received messages. Although the database is encrypted, the key is stored in a nearby file. 7/9

#PteroGram targets #Telegram desktop app by exfiltrating files from a directory that holds encrypted session data. If a passcode for the encryption key is not set, adversary can gain access to active Telegram session by feeding extracted files to another Telegram instance. 8/9