Description of Campaign
The Gamaredon threat group targeted the Ukrainian government with spear-phishing emails containing either a malicious link or attachment. The malware used during the operation was signed with a fake Microsoft digital certificate. The group used this malware to exfiltrate sensitive information from infected victims, including data from local, network, and removable drives.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Campaign IOC
 

Type	Value
Domain	masseffect.space
IP	141.8.195.60
IP	188.225.25.50
SHA256	C1524A4573BC6ACBE59E559C2596975C657AE6BBC0B64F943FFFCA663B98A95F
SHA256	76EA98E1861C1264B340CF3748C3EC74473B04D042CD6BFDA9CE51D086CB5A1A
SHA256	E2CB06E0A5C14B4C5F58D0E56A1DC10B6A1007CF56C77AE6CB07946C3DFE82D8
SHA256	39C6884526E7B7F2ED6E47B630010508BB5957385ECCF248C961CBD5BCB802C6

 
Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9536
V3 DAT (Endpoint Security)	3987

Detection Summary                    

IOC	Scanner	Detection
C1524A4573BC6ACBE59E559C2596975C657AE6BBC0B64F943FFFCA663B98A95F	AVEngine V2	Trojan-Gamaredon
	AVEngine V3	Trojan-Gamaredon
	JTI (ATP Rules)	ATP/Suspect!a9bb1471c275
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
76EA98E1861C1264B340CF3748C3EC74473B04D042CD6BFDA9CE51D086CB5A1A	AVEngine V2	W97M/Downloader.sj
	AVEngine V3	W97M/Downloader.sj
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
E2CB06E0A5C14B4C5F58D0E56A1DC10B6A1007CF56C77AE6CB07946C3DFE82D8	AVEngine V2	W97M/Dropper.ew
	AVEngine V3	W97M/Dropper.ew
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
39C6884526E7B7F2ED6E47B630010508BB5957385ECCF248C961CBD5BCB802C6	AVEngine V2	VBS/Downloader.td
	AVEngine V3	VBS/Downloader.td
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

                                                                                                                      
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices.
For best practices for Endpoint Security Dynamic Application Containment rules, see KB87843 - Dynamic Application Containment rules and best practices.

Endpoint Security - Advanced Threat Protection:  
Endpoint Security - Exploit Prevention:  

Aggressive set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices.
For best practices for Endpoint Security Dynamic Application Containment rules, see KB87843 - Dynamic Application Containment rules and best practices.

Host Intrusion Prevention: