See the full chain for an individual GammaLoad-infected victim in the graph below. After receiving the GammaStager payload, the malware was observed installing three separate malware branches, GammaLoadPlus, GammaSteel and GammaLoad.PS. Each of them maintains its own persistence and C2 connection, allowing further payloads on each branch. In addition, GammaStager also downloads an enumeration script (GammaInfo) and a reverse shell.

Figure 3: Gamma follow-on stages infection diagram

The more the merrier

The initial infection vectors display a significant evolution in strategy. Stealth has not been a major focus of Gamma malware and infrastructure in recent years, but the most recent campaigns are Hive0051’s most boisterous to date. The chain above clearly demonstrates a new, aggressive, multi-layered approach, for rapidly deploying several independent malware branches.

The large number of C2 fallback options, persistence mechanisms and storage locations potentially underscore a strategy that is accepting of a higher chance of detection in favor of a redundant approach to infection. By avoiding a single point of failure, the malware may be more likely to provide Hive0051 operators with successful infections before the attack is detected and remediated. Similarly, the frequent development cycles of Gamma malware have resulted in a multitude of new variants, making detection more difficult.

Fifty shades of Gamma

The origins of Gamma malware show a continuous evolution over at least 2 years, from simple VBScript backdoors to highly obfuscated, persistent, multi-stage malware variants with fallback C2 channels and support for multiple payloads. As a result of this evolution, a wide variety of Gamma-related malware is known to the community under various names such as LitterDrifter or Ptero* (PteroScout, Pterodo, etc.). X-Force follows the “Gamma” naming pattern used by CERT-UA, thus adding the names below to the list of known variants. However, due to the quick development cycles of the malware, these may only be used for a couple of months before the next code release, usually resulting in short-lived names. For our discussion, all Gamma-related malware capable of retrieving and executing secondary payloads (EXE, VBS, PS1, etc.) will be referred to as GammaLoad*.

Although variants may exhibit different behaviors resulting in a high diversity of names, there is a set of distinctive similarities used by Gamma malware. Implementation is mostly done in VBScript (also featured as Office macros in template files or within .HTA files), or PowerShell. There have also been implementations in .NET or C++ (Pterodo), which are used far less in currently observed campaigns. The recently observed .EXE files X-Force analyzed all contained an encrypted GammaLoad.VBA payload which they would launch after dropping to a new directory in %HOME% or %USERPROFILE%. All Gamma variants (including VBS, PS, Steel, Install, Plus, Light or Stager variants) leverage HTTP for C2 communication, often using specifically hardcoded headers, paths and subdomains. These are likely used to profile and register infections and are created using wordlists or randomly generated values. GammaInstall and GammaSteel also use a distinct modulo-based string obfuscation technique, different from GammaLoad.VBS, which uses substitutions. To support multi-channel DNS fluxing via fallback channels, Gamma variants started featuring functionality to query and parse different services such as Telegram, Telegraph, Filetransfer.io and more.

In a departure from previous observations, X-Force did not observe Hive0051 deploying USB spreading capabilities in both the common VBS and PowerShell variants of GammaLoad. This may be due to the uncontrollable nature of malware spreading via USB devices and potentially indicates Hive0051’s consideration of controlling its intended victims. To a lesser extent, there have been new samples identified as “GammaLoadLight.PS”, which focus only on the USB worm-like functionality. This variant can be deployed selectively and carries a hardcoded ID, enabling the threat actor to control and track the campaign more precisely than before.

GammaStager

GammaStager is a new type of disposable Gamma malware X-Force observed in the wild, which is built on the fly for a specific infection. It contains various hardcoded values such as the IP address, headers and strings likely acting as an authentication towards the C2 server. Its only objective is to download and execute a series of Base64-encoded VBS payloads. Upon request, it expects a “200” or “400” HTTP status code and a payload. If the C2 fails to respond with one of those codes, it will exit its main loop and terminate after 7 failed beacons.

Figure 4: Network traffic of GammaStager downloading multiple payloads

GammaLoadPlus

GammaLoadPlus is a VBS-based malware with two components that are obfuscated via string substitution and Base64 encoding. The first component is designed to establish persistence. It also contains two initial hardcoded values for the current C2 IP address as well as the Telegram channel ID for fallback. These values are initially stored in two files within the %TEMP% directory. The malware begins by storing itself in the %USERPROFILE% directory and creating a scheduled task with an unobtrusive name, “SmartScreenSpecific” in this case. The configuration executes the following command every 10 minutes (note that some options do not have a purpose and differ between samples):

This will run the second component which is the backdoor. To resolve its C2 address, the observed variant can use Telegram, DNS via WMI pings or an HTTP request to CloudFlare (https://cloudflare-dns.com/dns-query) or Google DNS (https:/8.8.8.8/resolve). A payload received from the server is stored in a “.ini” file within the %APPDATA% directory. GammaLoadPlus decrypts it using a custom XOR-based algorithm and stores it with the “.exe” extension in the same directory. At the start of the next scheduled execution, the payload is executed via the WScript.Shell object.

GammaInstall & GammaSteel

GammaInstall is a short PowerShell script used as a loader for GammaSteel. It begins by downloading the GammaSteel payload, splitting it and writing it to disk with each fragment stored in a different .txt file inside a dedicated storage directory under %APPDATA%. All TXT files have the same hardcoded string name concatenated with an increasing integer to preserve their order. In this case, the list of files would look like this:

After dropping the split payload, GammaInstall creates a short PowerShell loader script to read and combine the split files of the payload again and execute it. The resulting script is written into a VBS launcher file and dropped to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random_name>.vbs for persistence. The payload is then executed manually by GammaInstall.

Figure 5: Deobfuscated GammaInstall script

The observed payload was identified as GammaSteel and has been in use over the past year to exfiltrate files from infected systems. Its behavior bears similarities to the QuietSieve malware family used by the same group in 2022. It is capable of stealing files by recursively scanning through connected USB devices and existing drive letters.

GammaSteel maintains a blocklist to exclude folders containing the following strings:

• prog
• log
• windows
• appdata
• local
• roaming

Files are chosen if they match one of the following extensions:

• .doc
• .docx
• .xls
• .xlsx
• .rtf
• .odt
• .txt
• .jpg
• .jpeg
• .pdf
• .ps1
• .rar
• .zip
• .7z
• .mdb

GammaSteel also maintains a database file storing the MD5 hash of all exfiltrated files and is used to prevent exfiltrating duplicates. The observed variant stored data in a .TXT file within %APPDATA% and used the hardcoded string “MZtxtMZdb00” as magic bytes for identification. Exfiltration is accomplished via HTTP POST requests.

GammaLoad.PS

GammaLoad.PS is a PowerShell implementation of GammaLoad, which lives in the registry. The latest version does not support USB spreading anymore, but added support for .EXE payloads. At the start of the execution, the main script begins by dumping a loader script into a .PS1 file under %ALLUSERSPROFILE%, which is used by the scheduled task, and serves the purpose of loading and executing code stored in the registry. The main install script continues by writing each PowerShell function into a new subkey with a random name, below a hardcoded parent key – in this case, “HKCU:\Printers”. Finally, the script creates a scheduled task with the name of the “Win32_Bios” WMI-Object’s “Manufacturer” field. The task is configured to run after 1 minute following the install script and execute the following command every 180 minutes:

During execution, GammaLoad.PS maintains a file containing the currently used C2 server, which is populated through one of its C2-resolving capabilities, DNS or Telegraph. The malware then communicates with the “/api.php” endpoint. The malware is capable of handling 3 different payload types:

1. Responses starting with the string “http” will cause a download from the corresponding URL. The second payload is then XOR-decrypted, stored in %TEMP%\<random_name>.exe and executed.
2. Responses starting with the string “!” are split by the starting separator and executed as PowerShell commands.
3. All other responses are decrypted, Base64-decoded and launched as VBScript payloads directly in memory.

GammaLoadLight.PS

This PowerShell variant contains the USB spreader code, which has recently been removed from previous GammaLoad.PS variants. This allows it to spread to connected USB devices by dropping itself and a weaponized LNK file. It maintains persistence via the registry Run key and is stored within the %USERPROFILE% directory:

To resolve its C2 address, it supports both regular DNS with an apex domain as well as Telegram. After connecting to its server’s “/sleep.php” endpoint, it sends a hardcoded integer ID and expects a PowerShell script in return. It will replace a specific string in the payload response with its current C2 IP and execute the script.

Reverse shell

The last payload downloaded by GammaStager was a PowerShell-based reverse shell, allowing immediate hands-on keyboard access. It connects to a remote server on port 9511.

Figure 6: Reverse shell deployed by Hive0051

Infrastructure

X-Force has continued to study Hive0051 GammaLoad’s DNS fast flux infrastructure to deepen our understanding of the pace and scale the threat actor creates and rotates its domains. Looking at all GammaLoad domain registrations in 2023 through 2024, Hive0051 registered at least one domain (and often times more) a little over every 4 days on average, and as of January 15th, over 500 GammaLoad C2 domains had active registrations and were resolving to Hive0051 infrastructure. In terms of how Hive0051 rotates these domains to different IP addresses, X-Force identified several clusters of GammaLoad C2 that generally “travel” together. Specifically, there are 4 clusters of GammaLoad C2 domains that use the VBS variant for subdomain generation, one cluster related to the PowerShell variant for subdomain generation and one cluster related to GammaSteel. Between these 6 clusters, X-Force observed GammaLoad resolve to over 1000 IP addresses over a 3 month period. As other vendors have noted, Global Internet Solutions (GIR – 207713) remains Hive0051’s most used hosting provider, with 83% of GammaLoad C2s showing up within 40 of GIR’s netblocks. X-Force has also observed heavy usage of Kaopu Cloud HK(138915) and the recently created Global Connectivity Solutions (GCS – 215540). The latter was registered on February 9, 2024, and shares domain registration, WHOIS data and website landing page similarities with GIR.

Both domains have also been registered in Russia. These similarities, in addition to Hive0051’s usage of both providers, may indicate a relationship between GCS and GIR. As of March 2024, 16% of Hive0051’s C2 IPs belonged to GCS. This may be a result of GIR’s higher ASN risk score, which would impact Hive0051’s operations if used for IP reputation-based blocking.

• 29182
• 14061
• 208951
• 44477
• 207651
• 20473
• 49505
• 59504
• 198610
• 216071
• 35278
• 216139

The breakdown of the VBA clusters by domain count and possible malware associations can be seen below.