Symantec experts report that the Shuckworm hack group (aka Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, Winterflounder, and so on) is attacking Ukrainian companies using the Pterodo backdoor distributed via USB drives.

The main targets of hackers are important organizations in the military and IT sectors.

According to experts, in some cases, the group managed to organize long-term attacks that lasted up to three months, which in the end could give attackers access to “significant amounts of confidential information.”

Let me remind you that we also reported that TrickBot Hack Group Systematically Attacks Ukraine, and also that Microsoft Accuses Russia of Cyberattacks against Ukraine’s Allies.

The media also wrote that Sandworm Targets Ukraine With Industroyer2 Malware.

Shuckworm activity in 2023 spiked between February and March 2023, and hackers continued to have a presence on some compromised machines until May 2023.

To launch attacks, Shuckworm typically uses phishing emails containing malicious attachments disguised as .docx, .rar, .sfx, lnk, and hta files. Topics such as armed conflict, criminal prosecution, crime control, and child protection are often used as bait in emails to trick targets into opening the message itself and malicious attachments.

The new Shuckworm campaign debuted a new malware, which is a PowerShell script that distributes the Pterodo backdoor. The script is activated when infected USB drives are connected to the target computers. It first copies itself to the target machine to create an rtf.lnk shortcut file (video_porn.rtf.lnk, do_not_delete.rtf.lnk and evidence.rtf.lnk). Such names are an attempt to induce targets to open files so that Pterodo can infiltrate their machines.

The script then examines all drives connected to the target computer and copies itself to all attached removable drives for further lateral movement and in the hope of infiltrating isolated devices that are intentionally not connected to the internet to prevent them from being hacked.

To cover its tracks, Shuckworm has created dozens of malware variants (more than 25 PowerShell script variants between January and April 2023), and is rapidly changing IP addresses and infrastructure used for control and management.

The group also uses legitimate services to manage, including Telegram and the Telegraph platform, to avoid detection.

The post Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives appeared first on Gridinsoft Blog.

The group, linked by experts to Russia, has been carrying out cyber-espionage operations against Ukrainian government organizations since at least 2014.

According to experts, the group carried out more than 5 thousand cyberattacks on 1.5 thousand public and private enterprises in the country.

By the way, we talked about the fact that hacker groups split up: some of them support Russia, others Ukraine.

Pteredo has its origins in hacker forums, where it was acquired by Shuckworm in 2016. Hackers began active development of the backdoor, adding DLL modules to it for data theft, remote access, and penetration analysis.

In addition to Pteredo, Shuckworm has also used the UltraVNC remote access tool and Microsoft’s Process Explorer to process DLL processes in recent attacks.

Note: Let me remind you that even before the escalation of hostilities, Microsoft discovered the WhisperGate wiper attacking Ukrainian users.

If we compare Shuckworm attacks on Ukrainian organizations since January 2022, we can conclude that the group has hardly changed its tactics. In previous attacks, variants of Pteredo were downloaded to the attacked systems using VBS files hidden inside the document attached to the phishing email.

7-Zip files are unzipped automatically, which minimizes user interaction (the same files were used in the January attacks).

For example, one variant of Pteredo is a modified self-extracting archive containing obfuscated VBScripts that can be decompressed with 7-Zip. It then adds them as a scheduled task to ensure persistence:

The script also copies itself to [USERPROFILE]\ntusers.ini file.

The two newly created files are more obfuscated VBScripts.

• The first is designed to gather system information, such as the serial number of the C: drive, and sends this information to a C&C server.
• The second adds another layer of persistence by copying the previously dropped ntusers.ini file to another desktop.ini file.

Although Shuckworm is a highly professional group, its infection tools and tactics have not improved over the past few months, making it easier to detect and simplify methods of protection.

Currently, Pteredo is still actively developed, which means that hackers can work on a more advanced, powerful and undetectable version of the backdoor, as well as modify their attack chain.

The post Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor appeared first on Gridinsoft Blog.