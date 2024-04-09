The origins of Gamma malware show a continuous evolution over at least 2 years, from simple VBScript backdoors to highly obfuscated, persistent, multi-stage malware variants with fallback C2 channels and support for multiple payloads. As a result of this evolution, a wide variety of Gamma-related malware is known to the community under various names such as LitterDrifter or Ptero* (PteroScout, Pterodo, etc.). X-Force follows the “Gamma” naming pattern used by CERT-UA, thus adding the names below to the list of known variants. However, due to the quick development cycles of the malware, these may only be used for a couple of months before the next code release, usually resulting in short-lived names. For our discussion, all Gamma-related malware capable of retrieving and executing secondary payloads (EXE, VBS, PS1, etc.) will be referred to as GammaLoad*.

Although variants may exhibit different behaviors resulting in a high diversity of names, there is a set of distinctive similarities used by Gamma malware. Implementation is mostly done in VBScript (also featured as Office macros in template files or within .HTA files), or PowerShell. There have also been implementations in .NET or C++ (Pterodo), which are used far less in currently observed campaigns. The recently observed .EXE files X-Force analyzed all contained an encrypted GammaLoad.VBA payload which they would launch after dropping to a new directory in %HOME% or %USERPROFILE%. All Gamma variants (including VBS, PS, Steel, Install, Plus, Light or Stager variants) leverage HTTP for C2 communication, often using specifically hardcoded headers, paths and subdomains. These are likely used to profile and register infections and are created using wordlists or randomly generated values. GammaInstall and GammaSteel also use a distinct modulo-based string obfuscation technique, different from GammaLoad.VBS, which uses substitutions. To support multi-channel DNS fluxing via fallback channels, Gamma variants started featuring functionality to query and parse different services such as Telegram, Telegraph, Filetransfer.io and more.

In a departure from previous observations, X-Force did not observe Hive0051 deploying USB spreading capabilities in both the common VBS and PowerShell variants of GammaLoad. This may be due to the uncontrollable nature of malware spreading via USB devices and potentially indicates Hive0051’s consideration of controlling its intended victims. To a lesser extent, there have been new samples identified as “GammaLoadLight.PS”, which focus only on the USB worm-like functionality. This variant can be deployed selectively and carries a hardcoded ID, enabling the threat actor to control and track the campaign more precisely than before.