The Russia-linked cyber group Shuckworm is continuing to target Ukrainian organizations with infostealing malware. According to Symantec’s Threat Hunter Team, part of Broadcom Software, much of the current activity is an extension of attacks that were reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in July.
Shuckworm (aka, Gamaredon, Armageddon) is a eight-year-old cyber crime group that focuses almost exclusively on Ukraine, Symantec said.
“Shuckworm is generally considered to be an espionage operation … ,” said Brigid O’Gorman, senior intelligence analyst on the Symantec Threat Hunter team. “Fear of exposure does not appear to deter Shuckworm from continuing its activities.”
The infostealer payload is capable of recording audio using the system’s microphone, take screenshots, log keystrokes and download and execute .exe and .dll files.
Infection Vector
Symantec said Shuckworm used self-extracting 7-Zip files, which were downloaded via email. The binaries in the 7-Zip files subsequently downloaded mshta.exe, an XML file, which was likely masquerading as a HTML application, from the domain a0698649[.]xsph[.]ru. It has been publicly documented since May 2022 that subdomains of xsph[.]ru are associated with Shuckworm activity.
This domain was used in a phishing attack spoofing the Security Service of Ukraine with “Intelligence Bulletin” in the subject line, according to CERT-UA.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Attack Chain
Running mshta.exe executed a PowerShell stealer. Symantec logged three versions of the same PowerShell stealer on one system.
“It’s possible the attackers may have deployed multiple versions of the stealer, which were all very similar, as an attempt to evade detection,” Symantec said in a blog post detailing the attacks.
Two VBS downloaders with the words “juice” and “justice” in their file names also were seen on victim machines. These filenames are associated with Backdoor.Pterodo, a well-known Shuckworm script capable of calling PowerShells, uploading screenshots and also executing code downloaded from a command-and-control server, Symantec said.
Shuckworm also is deploying the Giddome backdoor, another well-known espionage tool. Some of these Giddome variants may have originated from VCD, H264, or ASC files. Similar to .ISO files, VCD files are images of a CD or DVD recognized by Windows as an actual disc.
The legitimate remote desktop protocol tools Ammyy Admin and AnyDesk were also leveraged by the attackers for remote access—a common tactic used by cyber gangs, Symantec said.
To protect your organization from Shuckworm, Gorman said to:
- Adopt a defense-in-depth strategy using multiple detection, protection and hardening technologies
- Monitor the use of dual-use tools inside the network
- Use the latest version of PowerShell with logging enabled
- Audit and control IT administrative account usage
- Use one-time credentials for IT admins
- Create profiles of usage for IT admins and their tools since many of these tools are used by attackers to move laterally through a network
- Implement multi-factor authentication
- Scan their systems for the indicators of compromise