2024-11-12 · gamaredon, uac-0010, cert-ua, detection-engineering, suricata, pterodo

Reading CERT-UA's UAC-0010 / Gamaredon update — what jumped out

A close re-read of the late-2024 CERT-UA bulletin on UAC-0010 / Gamaredon and what's worth turning into Suricata rules for a small-shop SOC.

I spent an evening this week going carefully through the latest CERT-UA bulletin on UAC-0010 (also known as Gamaredon, Primitive Bear, Trident Ursa). It’s part of my thesis-prep reading — I’m writing on behavioural anomaly detection in network traffic and Gamaredon is the most loudly-active APT in the public CERT-UA corpus, so it’s a natural case study.

A few things jumped out that are worth turning into actual detection content for someone running a small-shop SOC. None of these are novel research; they’re me reading carefully and trying to translate “the bulletin says X” into “here’s what you’d watch for”.

Pterodo file-naming schemas keep getting reused

Across the recent CERT-UA dispatches the HTML / VBS / SFX / RAR filenames have a bunch of recurring shapes:

Scan_<digit>_<digit>_<digit>_<NNNN>_<DD>.<MM>.<YYYY>.htm[l] — the “Scan” prefix is recent (added late-Apr 2024 per CERT-UA’s wave comparison). Most bulletins from the prior 12 months use the bare <digit>_<digit>_<digit>_<NNNN>_<DD>.<MM>.<YYYY>.<ext> form.
The <DD>.<MM>.<YYYY> date convention is Russian / European format (dot separators, day-first). Operator-side automation is emitting filenames in Russian-locale date format, which is itself a mild-fidelity signal — most Western scanners would emit ISO date, not dotted-DDMMYYYY.
File sizes for the HTML landers cluster in the 250–260 KB range — consistent with HTML files plus embedded resources.

These are CERT-UA’s published indicators; not me re-deriving from samples. But the regex shape is stable enough across bulletins that it’s worth a static-content rule. Suricata sketch (untested at scale — this is a thinking-out-loud rule, not a production-deploy one):

alert http any any -> $HOME_NET any (msg:"UAC-0010 Pterodo Scan_X_Y_Z filename pattern";
  flow:established,to_client; http.uri;
  pcre:"/Scan_\d+_\d+_\d+_\d{4}_\d{2}\.\d{2}\.20\d{2}\.html?/i";
  classtype:trojan-activity; sid:9001500; rev:1; reference:url,cert.gov.ua/article/...;)

The 2 in \d{2}\.\d{2}\.20 is a poor hack to anchor on 20XX years. Probably wants \.(202[4-9])\. instead. As written this rule will fire on benign legitimate file uploads named with similar conventions — it needs to_client flow direction, attachment-content-type checks, and some host-filter to be useful in production. Take it as a sketch.

Beacon URL pattern is the more useful tell

Per CERT-UA’s IOCs the recent waves carry beacon URLs like http://<bare-IP>/<verb><suffix>?-<DD>-<MM> where:

Verb is one of a small set of operator codenames (Svvr, SSsr, Akad, Akk, Gpps, Mouuds)
Suffix is Htm, Ua, or empty
<DD>-<MM> is the campaign date

Five of those six verbs feature double-letter alliteration (vv, Ss, kk, pp, uu) — that lines up with Gamaredon’s well- documented alliterative-naming TTP, the same one that produces riontos.ru style apex names with a recurring first letter. Whoever designs the operator-side URL generator is consistent.

The detection-engineering useful bit isn’t the specific verb list (the operators rotate them), it’s the bare-IP plain-HTTP beacon to a double-letter URL path, which is a very high-signal shape for “something Pterodo-flavoured is calling home”. A Suricata sketch that matches the shape, not the specific verbs:

alert http any any -> any any (msg:"UAC-0010 plain-HTTP bare-IP beacon (alliterative path)";
  flow:established,to_server;
  http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/";
  http.uri; pcre:"/^\/([A-Z][a-z]?)\1[A-Za-z]{1,4}-\d{2}-\d{2}/";
  classtype:trojan-activity; sid:9001501; rev:1;)

That regex matches paths starting with one capital + one lowercase + the same letter again (the alliteration), followed by 1-4 letters, then -DD-MM. Imperfect — won’t catch the Akk / Akad shapes because those don’t have lowercase before the doubled letter. Better shape probably involves an explicit verb-list of the form (Svvr|SSsr|Akad|Akk|Gpps|Mouuds) followed by suffix and date. Tune to your environment’s noise.

What I’m going to put in the thesis

Both shapes (the filename schema, and the beacon URL pattern) are candidate examples for the empirical chapter — they’re cumulative- behavioural signals where a single hit isn’t conclusive, but a combination (“workstation downloaded a Scan_X_Y_Z_NNNN_DD.MM.YYYY.htm attachment AND beaconed to a bare-IP URL with alliterative path within 60s”) is high-confidence.

CERT-UA’s bulletins are extraordinarily generous publications and the quality is high. If you’re a UA cybersec student or a junior SOC analyst, the CERT-UA bulletin archive is one of the highest-density learning resources I know of for practising “TTP description → detection rule” translation.

(I’ve published the Suricata-elk-lab Docker-Compose I used for the thesis empirical chapter at github.com/palianytsia-200/suricata-elk-lab. Not production-ready — student work. But useful as a reproducible bench.)