Loading . . .

Detecting Gamaredon Group

Sign Up Sign In

These rules detect malicious files loaded or executed on the compromised machine and network connections to IPs related to Gamaredon Group activity and their malvertising campaign that distributes Pteranodon (also known as Pterodo) malware implants and other custom-developed malware samples.

The Gamaredon Group has been active since at least 2013, and Pteranodon malware is one of their primary tools in cyberespionage campaigns. This custom backdoor can capture screenshots at a configurable interval and upload them to the attacker, download and execute additional files, as well as execute arbitrary commands on the system. The newest version of Pterodo is also capable of infecting USB storage devices for further spreading across an organization’s network.