FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel

What Happened

Russian state-sponsored hackers known as Gamaredon are using a new, highly stealthy data-stealing tool called GammaSteel against Ukrainian targets. This malicious software hides deep inside the computer's registry and constantly watches for new or modified documents on hard drives, network folders, and USB sticks. Once it finds targeted files, it secretly uploads them to legitimate cloud storage services or attacker-controlled servers. Because it hides so well and uses normal system features, it is very difficult to detect. Organizations should monitor for unusual registry modifications and restrict access to unapproved cloud storage platforms.

Key Takeaways

• Gamaredon utilizes a highly obfuscated, fileless stealer named GammaSteel that stages itself in the Windows Registry using DPAPI encryption.
• The malware actively monitors local drives, network shares, and USB devices to exfiltrate documents in real-time.
• Exfiltration relies on legitimate S3-compatible cloud storage (e.g., Tebi.io) with fallback to operator-controlled C2 servers.
• Dead Drop Resolvers (DDRs) like Telegram, Mastodon, and Rentry are heavily abused to dynamically update C2 configurations.
• The fallback C2 channel allows operators to execute arbitrary VBScript on the infected host, acting as a persistent backdoor.

Affected Systems

• Windows operating systems
• Ukrainian government, military, and critical infrastructure networks

Attack Chain

The attack begins with a PowerShell dropper that unpacks and decrypts 71 distinct functions, staging them directly into the HKCU\Printers registry key using Windows DPAPI encryption. A persistence mechanism is established via the Windows Run key to execute an orchestrator function from the registry upon startup. The orchestrator initiates three concurrent data acquisition methods: hourly scans of local/network drives, WMI-based monitoring for newly inserted USB drives, and real-time file surveillance using FileSystemWatcher. Stolen documents are deduplicated locally and exfiltrated to S3-compatible cloud storage (e.g., Tebi.io), with a fallback to hardcoded C2 servers or dynamically resolved infrastructure via Dead Drop Resolvers (DDRs) like Mastodon and Telegram. The fallback C2 channel also allows the operators to execute arbitrary VBScript on the infected host.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules, but offers behavioral indicators and IOCs for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions with registry monitoring, process command-line logging, and WMI event subscription visibility can detect the staging and execution phases. Network Visibility: Medium — Network traffic is largely encrypted (HTTPS) and uses legitimate services (S3, Telegram, Mastodon), making payload inspection difficult, though fallback C2s and specific API endpoints can be monitored. Detection Difficulty: Hard — The malware operates almost entirely in memory and the registry, uses DPAPI for encryption, and abuses legitimate cloud services for exfiltration, blending in with normal administrative and user activity.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Registry Events (Sysmon 12, 13, 14)
• WMI Activity (Event ID 5861)
• File Creation (Sysmon 11)

Hunting Hypotheses

Control Gaps

• Lack of strict egress filtering for cloud storage providers
• Insufficient monitoring of HKCU registry modifications
• Permissive execution policies for VBScript and PowerShell

Key Behavioral Indicators

• PowerShell execution with -nol -nop -enc and -WindowStyle Hidden
• Creation of WMI event subscriptions for __InstanceCreationEvent on Win32_LogicalDisk
• Large encrypted blobs stored in HKCU\Printers subkeys
• Creation of hidden staging directories in %UserProfile% or %ProgramData% named with the first 15 characters of the machine's GUID

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search endpoint telemetry for the presence of the Global\assembly307 mutex or suspicious subkeys under HKCU\Printers.
• Block access to the known fallback C2 IP addresses and domains (e.g., justsstop.ru, 165.22.170.129).

Infrastructure Hardening

• Evaluate whether access to unapproved cloud storage platforms (e.g., Tebi.io, Wasabi) and DDR platforms (e.g., Telegra.ph, Mastodon) can be restricted at the network perimeter.
• Implement strict PowerShell execution policies and enable Script Block Logging to capture deobfuscated payloads.

User Protection

• If your EDR supports it, monitor and restrict the creation of WMI event subscriptions by non-administrative users.
• Consider disabling or strictly controlling USB mass storage device usage to prevent physical data exfiltration.

Security Awareness

• Educate users on the risks of connecting untrusted USB drives, as they can be used as a vector for data theft in compromised environments.

MITRE ATT&CK Mapping

• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1112 - Modify Registry
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription
• T1027 - Obfuscated Files or Information
• T1140 - Deobfuscate/Decode Files or Information
• T1083 - File and Directory Discovery
• T1119 - Automated Collection
• T1025 - Data from Removable Media
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
• T1102.001 - Web Service: Dead Drop Resolver
• T1564.004 - Hide Artifacts: NTFS File Attributes

Additional IOCs

• Ips:
  • 144[.]172[.]84[.]40 - IP address resolved from norosta.ru DDR.
  • 167[.]172[.]45[.]3 - IP address extracted from encoded DDR configurations.
• Domains:
  • de-fra[.]i3storage[.]com - Alternative S3-compatible cloud storage domain used for exfiltration.
  • serveirc[.]com - Dynamic DNS domain used during the initial access phase.
  • webhop[.]me - Dynamic DNS domain used during the initial access phase.
  • serveftp[.]com - Dynamic DNS domain used during the initial access phase.
  • myvnc[.]com - Dynamic DNS domain used during the initial access phase.
  • norosta[.]ru - Actor-controlled domain used to resolve C2 or staging IPs.
  • selltosell[.]ru - Actor-controlled domain used to resolve C2 or staging IPs.
  • quitethepastry[.]ru - Domain identified in Mastodon DDR posts.
  • mon-future-arbitration-buy[.]trycloudflare[.]com - Cloudflare Tunnel domain used for staging or C2.
  • poxxos[.]ru - Domain identified in encoded DDR configurations.
  • topflle[.]com - Domain identified in encoded DDR configurations.
  • cnnic[.]cn - Domain identified in encoded DDR configurations.
• Urls:
  • hxxps://write[.]as/api/posts/1nei1af6dnw8q - Write.as DDR URL used to host C2 configurations.
  • hxxps://rentry[.]co/hwzrmfkx - Rentry.co DDR URL used to host C2 configurations.
• Registry Keys:
  • HKCU\Printers\KeZdDboas5kpxbkgxxvBx - Registry key storing the orchestrator function.
  • HKCU\Printers\plLmfuh4uctxjtrQSXC - Registry key storing the payload for files drive exploration.
• Command Lines:
  • Purpose: Launch detached hidden PowerShell process to execute registry-staged orchestrator | Tools: powershell.exe | Stage: Execution
  • Purpose: Establish persistence via Run key executing payload from HKCU\Printers | Tools: powershell.exe, Registry | Stage: Persistence
  • Purpose: Create WMI Event Subscription for USB drive monitoring | Tools: WMI, PowerShell | Stage: Collection
  • Purpose: Execute arbitrary VBScript payload received from C2 | Tools: wscript.exe | Stage: Execution | wscript.exe <TEMP_FILE_PATH> //e:vbscript //b