Hackers working for Russia’s Federal Security Service have mounted multiple cyberattacks that used USB-based malware to steal large amounts of data from Ukrainian targets for use in its ongoing invasion of its smaller neighbor, researchers said.
“The sectors and nature of the organizations and machines targeted may have given the attackers access to significant amounts of sensitive information,” researchers from Symantec, now owned by Broadcom, wrote in a Thursday post. “There were indications in some organizations that the attackers were on the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations was a priority for the attackers, among other things.”
The group, which Symantec tracks as Shuckworm and other researchers call Gamaredon and Armageddon, has been active since 2014 and has been linked to Russia’s FSB, the principal security service in that country. The group focuses solely on obtaining intelligence on Ukrainian targets. In 2020, researchers at security firm SentinelOne said the hacking group had “attacked over 5,000 individual entities across the Ukraine, with particular focus on areas where Ukrainian troops are deployed.”
In February, Shuckworm began deploying new malware and command-and-control infrastructure that has successfully penetrated the defenses of multiple Ukrainian organizations in the military, security services, and government of that country. Group members seem most interested in obtaining information related to sensitive military information that could be abused in Russia’s ongoing invasion.
This newer campaign debuted new malware in the form of a PowerShell script that spreads Pterodo, a Shuckworm-created backdoor. The script activates when infected USB drives are connected to targeted computers. The malicious script first copies itself onto the targeted machine to create a shortcut file with the extension rtf.lnk. The files have names such as video_porn.rtf.lnk, do_not_delete.rtf.lnk, and evidence.rtf.lnk. The names, which are mostly in the Ukrainian language, are an attempt to entice targets to open the files so they will install Pterodo on machines.
The script goes on to enumerate all drives connected to the targeted computer and to copy itself to all attached removable drives, most likely in hopes of infecting any air-gapped devices, which are intentionally not connected to the Internet in an attempt to prevent them from being hacked.
To cover its tracks, Shuckworm has created dozens of variants and rapidly rotated the IP addresses and infrastructure it uses for command and control. The group also uses legitimate services such as Telegram and its micro-blogging platform Telegraph for command and control in another attempt to avoid detection.
Shuckworm typically uses phishing emails as an initial vector into targets’ computers. The emails contain malicious attachments that masquerade as files with extensions, including .docx, .rar, .sfx, lnk, and hta. Emails often use topics such as armed conflicts, criminal proceedings, combating crime, and protecting children as lures to get targets to open the emails and click on the attachments.
Symantec researchers said that an infected computer they recovered in the campaign was typical for the way it works. They wrote:
In one victim, the first sign of malicious activity was when the user appeared to open a RAR archive file that was likely delivered via a spear-phishing email and which contained a malicious Document.
After the document was opened, a malicious PowerShell command was observed being executed to download the next-stage payload from the attackers’ C&C server:
“CSIDL_SYSTEM\cmd.exe” /c start /min “” powershell -w hidden
More recently, Symantec has observed Shuckworm leveraging more IP addresses in their PowerShell scripts. This is likely an attempt to evade some tracking methods employed by researchers.
Shuckworm also continues to update the obfuscation techniques used in its PowerShell scripts in an attempt to avoid detection, with up to 25 new variants of the group’s scripts observed per month between January and April 2023.
Thursday’s post includes IP addresses, hashes, file names, and other indicators of compromise people can use to detect if they have been targeted. The post also warns that the group poses a threat that targets should take seriously.
“This activity demonstrates that Shuckworm’s relentless focus on Ukraine continues,” they wrote. “It seems clear that Russian nation-state-backed attack groups continue to laser in on Ukrainian targets in attempts to find data that may potentially help their military operations.”