Below is a Yara signature for the Russian Gamaredon malware group targeting important Ukraine organizations. The malicious document at the URLs is a Word template. Copy the file to a new Notepad file from the word Rule to the ending } and save it as a file named Gamaredon .yar in the ClamWin database folder. Save it in All Files format. The file name should be Gamaredon.yar and nothing else.

Unlike HDB and MDB signatures, Yara signatures can be kept permanently if they are not for a specific malware. This rule is for a specific malware, so keep it for about 4 weeks.

Thanks to Microsoft!

Rule Microsoft IOC For Russian Group 'Gamaredon' Targeting Ukriane Aug. 15, 2022
{
strings:
$a = "cache-dns.com"
$b = "ache-dns-forwarding.com"
$c = "cache-dns-preview.com"
$d = "cache-docs.com"
$e = "cache-pdf.com"
$f = "cache-pdf.online"
$g = "cache-services.live"
$h = "cloud-docs.com"
$i = "cocs-cache.com"
$j = "docs-cache.com
$k = "docs-info.com"
$l = "document-online.live"
$m = "document-preview.com"
$n = "pdf-cache.com"
$o = "pdf-cache.online"
$p = "office365-online.live"
$q = "office-protection.online"
$r = "proton-pdf.online"
$s = "proton-view.online"
$t = "ile-milgov.systems"
condition:
any of them
}

Regards,