Russia-linked state-sponsored cyber-espionage group Gamaredon (Armageddon, UAC-0010) continues its relentless attacks against government entities, and organizations in Ukraine's military and security intelligence sectors, using updated malware tools, according to a new report from Symantec threat intelligence team.
The group, which Symantec tracks as Shuckworm, repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training. In some cases, the team says, Shuckworm’s operations lasted for as long as three months.
Gamaredon has been active since at least 2014 and is one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine. Ukrainian officials have linked the group to the Russian Federal Security Service (FSB).
The threat actor uses phishing emails for malware distribution and provides access to compromised networks and intelligence to other cybercriminals.
The phishing lures observed in the most recent Gamaredon’s campaigns dating February/March 2023 include topics related to armed conflicts, criminal proceedings, combating crime, and the protection of children.
The attacks also involved a new PowerShell script used to deploy Gamaredon’s custom backdoor Pterodo, via USB. The Symantec team also notes that they have seen what appears to be a known Shuckworm backdoor called Giddome used for data exfiltration.
“The new PowerShell script is used to first copy itself onto the infected machine and create a shortcut file using an rtk.lnk extension. The script uses file names such as “porn_video.rtf.lnk”, “do_not_delete.rtf.lnk”” and “evidence.rtf.lnk” in an attempt to entice individuals to open the files. These file names are generally in Ukrainian, but some are also in English,” the report explains.
The script then enumerates all drives, copying itself to any available removable disks – USB drives likely used by the attackers for lateral movement across victim networks and, possibly, to help them reach air-gapped machines within targeted organizations.
The group is also leveraging legitimate services to act as command-and-control servers, however, Gamaredon uses C&C infrastructure only for a short period of time.
“The sectors and nature of the organizations and machines targeted may have given the attackers access to significant amounts of sensitive information. There were indications in some organizations that the attackers were on the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations was a priority for the attackers, among other things,” Symantec said.
“This activity demonstrates that Shuckworm’s relentless focus on Ukraine continues. It seems clear that Russian nation-state-backed attack groups continue to prioritize high-value Ukrainian targets in attempts to find data that may potentially help their military operations.”
