The Securonix Threat Research team has uncovered a sophisticated cyber-espionage campaign targeting Ukraine, leveraging a novel PowerShell backdoor. This ongoing campaign, believed to be linked to the notorious Shuckworm group, employs stealthy tactics to evade detection and primarily targets Ukrainian military personnel.
Shuckworm APT (aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa) is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. This cyber-espionage group is known to target government, military, and other high-value targets, primarily in Ukraine and has been linked to several advanced persistent threats (APT) campaigns.
In the latest campaign, tracked by Securonix as STEADY#URSA, the threat actor has been observed using a new PowerShell backdoor dubbed ‘Subtle-Paws.’ The malicious payload is distributed through compressed files, suggesting a potential association with phishing emails as the delivery method.
The researchers found that many samples contained references to Ukrainian cities and military terminology. Throughout the attack campaign, the predominant tool utilized by the malware is PowerShell. The exploitation chain involves the victim executing a malicious shortcut (.lnk) file, which subsequently loads and executes Subtle-Paws, which is hidden within another file in the same archive.
The initial stages of the attack are relatively straightforward, with the victim unzipping the archive and double-clicking on the included shortcut file. The shortcuts consistently follow a nomenclature pattern based on Ukrainian cities or military terms. However, late-stage execution and persistence mechanisms exhibit a higher level of complexity to maintain a long-term presence on compromised systems.
“It’s important to note that the lateral movement portion of this attack does not attempt to access the target’s network. For the Ukraine military, much of their systems rely on air-gapped communications such as Starlink. Lateral movement for the STEADY#URSA campaign relies solely on the use of USB drives in an attempt to deliver and spread the malware from system to system,” the researchers said.
Earlier this month, Russian cyberespionage group APT28, affiliated with the Main Directorate of the General Staff of the Russian Armed Forces (GRU), was observed conducting phishing attacks aimed at obtaining Ukrainian military personnel's credentials that would give it access to the country’s military situational awareness and command and control systems. The phishing campaign involves several attack vectors and is specifically targeting military personnel and units of the Ukrainian Defense Forces.