Russia-linked state-backed hacker groups are continuing to launch cyberattacks against organizations in Ukraine amid the ongoing Ukraine-Russia war. Researchers with Symantec have uncovered a new espionage campaign orchestrated by the Gamaredon hacker group (aka Armageddon, Shuckworm), which targets Ukrainian entities with variants of the Pterodo backdoor.
The group has been launching cyberattacks against Ukraine since it has first appeared in 2014.
“While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region,” Symantec said.
In the recent attacks Gamaredon has been observed using several different versions of the Pterodo backdoor designed to perform similar tasks. This tactic allows the threat actor to maintain access to the infected device if one payload or command and control (C&C) server is detected and blocked.
Symantec’s Threat Hunter Team discovered and analysed four variants of Pterodo being used in the recent attacks, all of them being Visual Basic Script (VBS) droppers with similar functionality that use Scheduled Tasks (shtasks.exe) to maintain persistence and fetch additional payloads from a C&C server.
In addition to Pterodo, the group has been observed using other tools like UltraVNC remote desktop support software, and Process Explorer, a Microsoft Sysinternals tool designed to provide information about which handles and DLL processes have opened or loaded.
“While Shuckworm is not the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. It appears that Pterodo is being continuously redeveloped by the attackers in a bid to stay ahead of detection,” the researchers said.
“While Shuckworm appears to be largely focused on intelligence gathering, its attacks could also potentially be a precursor to more serious intrusions, if the access it acquires to Ukrainian organizations is turned over to other Russian-sponsored actors.”
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!