Ukraine's military and law enforcement sectors are being attacked by Russian state-backed cyberespionage operation Gamaredon with the use of the Telegram messaging app, The Hacker News reports.
Gamaredon, also known as Actinium, Iron Tilden, Armageddon, Primitive Bear, Trident Ursa, Shuckworm, and Winterflounder, has been delivering spear-phishing emails using Ukrainian government organization documents as lures, according to a report from the BlackBerry Research and Intelligence Team. Such documents facilitate remote template injection, while a hard-coded Telegram channel retrieves the malware-hosting server's IP address, which eventually leads to the retrieval of an information-stealing malware.
"The threat group changes IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out. The fact that the suspect IP addresses change only during Eastern European working hours strongly suggests that the threat actor works from one location, and with all probability belongs to an offensive cyber unit that deploys malicious operations against Ukraine," said BlackBerry.