FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad
Gamaredon, a Russia-nexus threat actor, utilizes a multi-stage VBScript loader framework named GammaLoad to establish persistent access and deploy subsequent payloads like GammaSteel. The infection chain leverages Dead Drop Resolvers on legitimate platforms, stores C2 configurations in the Windows Registry, and uses Alternate Data Streams (ADS) combined with Scheduled Tasks for stealthy execution.
- domaindayobtvoyu[.]ruHardcoded C2 domain used by GammaLoad Stage 2
- domainexemption-transportation-kilometers-berkeley[.]trycloudflare[.]comCloudflare tunnel domain used as C2
- domainvids-road-christina-guards[.]trycloudflare[.]comCloudflare tunnel domain used as C2
- filename%TEMP%\:divedz0fAlternate Data Stream (ADS) used to store the Stage 3 payload
- ip144[.]172[.]88[.]24C2 IP address resolved from Telegram DDR
- ip172[.]86[.]72[.]243Hardcoded C2 IP address written to WindowsResponby registry key
- ip172[.]86[.]76[.]132C2 IP address resolved from Check-Host DDR
- md5a2c6e01001c62f6198e31a9d603977c6GammaLoad Stage 2 VBScript dropper
- md5bf94f4056627907d86ce1cae8b44c67aGammaLoad Stage 1 VBScript loader
- md5d2a6009587b3cb73355c2d1e53d5cdfaGammaLoad Stage 3 VBScript loader
- urlhxxps://check-host[.]net/ip-info?host=snterval[.]selltosell[.]ruCheck-Host Dead Drop Resolver (DDR) URL
- urlhxxps://insight-sweet-drainage-appreciated[.]trycloudflare[.]com/log/C2 endpoint used to fetch the final GammaSteel payload
- urlhxxps://telegram[.]me/s/akatachiTelegram Dead Drop Resolver (DDR) URL
- urlhxxps://telegram[.]me/s/oberfarirTelegram Dead Drop Resolver (DDR) used by GammaLoad
- urlhxxps://te[.]legra[.]ph/fxpppscdlw-12-27Telegraph Dead Drop Resolver (DDR) URL
- urlhxxps://www[.]az[.]com@sweet[.]csxvl00328[.]workers[.]dev/vehisCloudflare Workers C2 URL
- urlhxxps://www[.]huaweicloud[.]com@e097[.]yggjf81487[.]workers[.]dev/libertarianCloudflare Workers C2 URL
Detection / HunterGoogle
What Happened
A Russian state-sponsored hacking group known as Gamaredon is using a complex, multi-step malicious program called GammaLoad to target organizations in Ukraine. This malware hides its communication instructions inside the Windows Registry and uses legitimate services like Telegram and Cloudflare to blend in with normal network traffic. This matters because the malware is designed to be highly stealthy, allowing attackers to maintain long-term access and steal sensitive information. Organizations should monitor for unusual scheduled tasks and unexpected connections to cloud services to detect this threat.
Key Takeaways
- Gamaredon (FSB) continues to target Ukrainian entities using a multi-stage VBScript loader framework called GammaLoad.
- GammaLoad heavily abuses legitimate services like Telegram, Telegraph, and Cloudflare for Dead Drop Resolvers (DDR) and C2.
- The malware stores active C2 configurations in the Windows Registry (HKCU\Console) to maintain resilient communications.
- Persistence is achieved by writing payloads to Alternate Data Streams (ADS) and executing them via Scheduled Tasks.
Affected Systems
- Windows
Attack Chain
The infection begins with a first-stage VBScript loader that fingerprints the host and retrieves a C2 URL from the Windows Registry or via Dead Drop Resolvers on platforms like Telegram. It then fetches a second-stage VBScript dropper, which writes the next payload into an Alternate Data Stream (ADS) in the %TEMP% directory and establishes persistence via a Scheduled Task. This task periodically executes a third-stage VBScript, which spawns a hidden PowerShell process to download, XOR-decrypt, and execute the final GammaSteel payload in-memory.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but notes that complete IOC lists and network indicators are available via the Sekoia Intelligence feed.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions typically have strong visibility into process creation (wscript.exe, powershell.exe), scheduled task creation, and registry modifications. Network Visibility: Medium — While network connections to Telegram or Cloudflare are visible, the traffic is encrypted (HTTPS) and blends with legitimate usage, making it harder to distinguish malicious intent without SSL inspection or specific URL/User-Agent monitoring. Detection Difficulty: Moderate — The heavy reliance on legitimate services (Telegram, Cloudflare) and in-memory execution complicates detection, but the use of Alternate Data Streams and specific registry keys provides solid behavioral detection opportunities.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Registry Events (Sysmon 12, 13, 14)
- Scheduled Task Activity (Event ID 4698)
- File Creation (Sysmon 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for wscript.exe executing files from Alternate Data Streams (ADS) within the %TEMP% directory. | Process Creation logs (Sysmon Event ID 1 or Windows Event ID 4688) with command line arguments. | Execution / Persistence | Low |
| Monitor for unusual modifications to HKCU\Console registry keys (HistoryURL, WindowsResponby, CloudURL, IpURL) by script interpreters. | Registry modification logs (Sysmon Event ID 12, 13, 14). | Command and Control | Low |
| Identify scheduled tasks being created with names like '\Windows\ApplicationData\DsSvcCleanup' or executing wscript.exe with ADS paths. | Scheduled Task creation logs (Windows Event ID 4698). | Persistence | Low |
Control Gaps
- Lack of SSL/TLS inspection may allow DDR traffic to Telegram/Cloudflare to go unnoticed.
- Standard AV might miss in-memory VBScript execution if AMSI is bypassed or not fully integrated.
Key Behavioral Indicators
- wscript.exe executing an Alternate Data Stream (ADS)
- powershell.exe spawned with -nol -nop -encodedcommand by wscript.exe
- Custom User-Agent strings containing system fingerprint data separated by specific delimiters (e.g., ##, !!, ??, ==)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Search endpoint telemetry for the specific registry keys (HKCU\Console\HistoryURL, etc.) and ADS paths (%TEMP%:divedz0f) mentioned in the report.
- Block the known C2 domains and IP addresses at the network perimeter.
Infrastructure Hardening
- Consider implementing SSL inspection to gain visibility into traffic directed at legitimate but abused services like Telegram and Cloudflare.
- Evaluate restricting the execution of VBScript and PowerShell on endpoints where they are not strictly required for business operations.
User Protection
- Ensure EDR solutions are configured to monitor and alert on Alternate Data Stream (ADS) creation and execution.
- If applicable, restrict the creation of Scheduled Tasks by standard users.
Security Awareness
- Educate analysts on the concept of Dead Drop Resolvers (DDR) and how threat actors abuse legitimate platforms to host C2 infrastructure.
MITRE ATT&CK Mapping
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1564.004 - Hide Artifacts: NTFS File Attributes
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1112 - Modify Registry
- T1102.001 - Web Service: Dead Drop Resolver
- T1082 - System Information Discovery
- T1132.001 - Data Encoding: Standard Encoding
Additional IOCs
- Ips:
172[.]86[.]76[.]132- C2 IP address resolved from Check-Host DDR144[.]172[.]88[.]24- C2 IP address resolved from Telegram DDR172[.]86[.]72[.]243- Hardcoded C2 IP address written to WindowsResponby registry key
- Domains:
exemption-transportation-kilometers-berkeley[.]trycloudflare[.]com- Cloudflare tunnel domain used as C2vids-road-christina-guards[.]trycloudflare[.]com- Cloudflare tunnel domain used as C2
- Urls:
hxxps://te[.]legra[.]ph/fxpppscdlw-12-27- Telegraph Dead Drop Resolver (DDR) URLhxxps://telegram[.]me/s/akatachi- Telegram Dead Drop Resolver (DDR) URLhxxps://check-host[.]net/ip-info?host=snterval.selltosell.ru- Check-Host Dead Drop Resolver (DDR) URLhxxps://www[.]huaweicloud[.]com@e097[.]yggjf81487[.]workers[.]dev/libertarian- Cloudflare Workers C2 URLhxxps://www[.]az[.]com@sweet[.]csxvl00328[.]workers[.]dev/vehis- Cloudflare Workers C2 URL
- Registry Keys:
HKCU\Console\HistoryURL- Registry key used to cache the active C2 URLHKCU\Console\WindowsResponby- Registry key used to cache the active C2 URLHKCU\Console\CloudURL- Registry key used to cache the active C2 URLHKCU\Console\IpURL- Registry key used to cache the active C2 URL
- Command Lines:
- Purpose: Execute payload stored in Alternate Data Stream via Scheduled Task | Tools:
wscript.exe,Scheduled Tasks| Stage: Persistence |wscript.exe "%TEMP%\:divedz0f" - Purpose: Execute Base64 encoded PowerShell payload | Tools:
powershell.exe,WScript.Shell| Stage: Execution |powershell.exe -nol -nop -encodedcommand
- Purpose: Execute payload stored in Alternate Data Stream via Scheduled Task | Tools:
- Other:
\Windows\ApplicationData\DsSvcCleanup- Scheduled task name used for persistence
