The Russian-affiliated cyberespionage organization Shuckworm is relentlessly attacking Ukrainian institutions
A Russian-affiliated gang often uses many payloads and updates its malware to maximize the likelihood that it will remain active on targeted networks for a long time.
The Russian-affiliated cyberespionage organization Shuckworm, also known by the aliases Armageddon and Gamaredon, is continuing to relentlessly attack Ukrainian institutions. Shuckworm has largely focused its business in Ukraine since its launch in 2014. These attacks have continued without pause ever since Russia invaded the country. Although the gang periodically employs simple and unsophisticated tools and techniques, the frequency and endurance of its attacks ensure that it remains one of the top cyber hazards facing local businesses.
Numerous malware payloads have been installed on the target systems by the group’s recent activity. These payloads are frequently different versions of the same malware (Backdoor. Pterodo), developed to do related tasks. Each will connect to the others using a different command-and-control (C&C) server. The usage of various versions is most likely explained by the possibility that they provide a rudimentary means of maintaining persistence on an infected computer. Attackers have a backup plan in case one payload or C&C server detects and blocks them, and they can launch other fresh versions to compensate.
The Symantec Threat Hunter Team at Broadcom Software has identified four distinct Pterodo versions that have been employed in recent attacks. They’re all Visual Basic Script (VBS) droppers, and their functionalities are similar. They will upload more code from a C&C server, drop a VBScript file, and maintain persistence using Scheduled Tasks (shtasks.exe). The embedded VBScripts all used obfuscation techniques that were very similar to one another.
Two VBS downloaders with the words “juice” and “justice” in their file names were also present on the target systems. The Backdoor category includes the names of these files. Pterodo, according to Symantec, is a well-known Shuckworm script that can launch PowerShell, upload screenshots, and execute malware downloaded from a command-and-control site.
Shuckworm also makes advantage of the Giddome backdoor, a well-known eavesdropping device. Some of these Giddome versions may have originated from VCD, H264, or ASC files. equivalent to ISO and VCD files containing images of a CD or DVD that Windows recognizes as a genuine disc.
According to Symantec, the attackers used the legitimate remote desktop protocol tools Ammyy Admin and AnyDesk to achieve remote access.
