Security researchers at Symantec have presented what they said is further evidence that the Russian advanced persistent threat hacking team known as Shuckworm has been actively waging a cyber espionage campaign against organizations in Ukraine.
According to a report from The Security Service of Ukraine released in November 2021, Shuckworm, also known by Armageddon, Gamaredon, Primitive Bear and other monikers, is relatively new to the APT world. The SSU believes Shuckworm was founded in 2013 or 2014 and initially operated with a very low profile. Despite its relative newness to the scene, the SSU said “the group is able to turn into a cyberthreat with consequences, the scale of which will exceed the negative effect of the activities of [known Russian APTs APT28, SNAKE and APT29].”
Symantec said its findings are consistent with the SSU’s report, which said Shuckworm has become more sophisticated since 2017, the end result of which is a group with custom-built malware to infiltrate and legitimate tools to keep itself connected.
Anatomy of a cyber espionage attack
There are a variety of methods that APTs use to establish a permanent presence in victim networks. In the particular case study Symantec included in its report, Shuckworm likely used a tried-and-true ingress method: Phishing.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The attack began July 14, 2021, and continued for over a month, Symantec said, and it all began with a malicious Word document. “Just five minutes after the document is opened, a suspicious command is also executed to launch a malicious VBS file,” Symantec said. That file, in turn, installed the Pterodo backdoor software that was previously linked to Shuckworm.
The creation of Pterodo is what the SSU said divides Shuckworm’s early days from its more dangerous later years. Prior to the creation of Pterodo, Shuckworm relied on legitimate remote access tools like RMS and UltraVNC. Now, through the use of Pterodo, Shuckworm is able to compromise systems and retain access as it uses living-off-the-land techniques (using available, legitimate tools on the infected system) to move laterally and steal credentials.
“Between July 29 and Aug.18, activity continued whereby we observed the attackers deploying multiple variants of their custom VBS backdoor along with executing VBS scripts and creating scheduled tasks similar to the ones detailed above,” Symantec said. After Aug. 18, it reports, no further activity was detected on the infected machine.
For those looking for indicators of compromise, Symantec said there are seven self-extracting binary files that it’s noticed in recent Shuckworm attacks:
- And several variants of deep-green.exe.
“Nearly all the suspected malicious files are made up of a word beginning with the letter ‘d’, and a few are composed of two words separated by a ‘-’ (first word also starting with ‘d’),” Symantec said.
The SSU said in its November report that Shuckworm has been responsible for over 5,000 attacks, 1,500 of them against Ukrainian government systems, since 2014. Symantec said, “this activity shows little signs of abating.”
How to prevent phishing attacks against your organization
Phishing and other social engineering attacks can be devastating if successful. To make matters worse, phishers continually evolve and change tactics to suit the current situation, as evidenced during the COVID-19 pandemic.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Despite their ability to devastate organizations, phishing attacks can be combated through the installation of security software able to identify malicious files in email, proper training on how to identify phishing, and implementing other phishing best practices that will protect your systems where users may fail.