A Russia-linked hacker group is continuing to attack organizations in Ukraine with info-stealing malware. The ongoing cyber campaign is said to be an extension of the attacks detailed by Ukraine’s computer emergency response team in July 2022.
Symantec’s Threat Hunter Team, part of Broadcom Software, shared the technical details on the campaign, which has been attributed to a known advanced persistent threat group Gamaredon (Armageddon or Shuckworm). The group has been active since 2014 and is exclusively focused on Ukraine.
In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser from a domain (a0698649[.]xsph[.]ru) that has been previously associated with Gamaredon activity. The domain was used in a phishing attack spoofing the Security Service of Ukraine with “Intelligence Bulletin” in the subject line, according to CERT-UA’s July security advisory.
The binaries in the 7-Zip files subsequently downloaded mshta.exe, an XML file, which was likely masquerading as a HTML application.
Upon downloading of the XML file onto victim networks, a PowerShell stealer is run on the victim’s machine. The researchers said they found three versions of this malware, which were all very similar, and likely were deployed as a means to evade detection.
Symantec also found Backdoor.Pterodo, a well-known Gamaredon tool, on victim machines, which came in the form of two VBS downloaders. These scripts are capable of calling PowerShell, uploading screenshots, and also executing code downloaded from a command-and-control (C&C) server.
In addition to the above-mentioned, the researchers observed Gamaredon deploying the Giddome backdoor, another well-known Gamaredon tool. Some of these Giddome variants may have originated from VCD, H264, or ASC files. Similar to .ISO files, VCD files are images of a CD or DVD recognized by Windows as an actual disc.
For remote access the threat actor leveraged the legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk - a common tactic used by ransomware and state-backed hacker groups.
“As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations,” Symantec concluded.