- Hackers from Russia’s Federal Security Service have carried out multiple cyberattacks using USB-based malware to steal high-value data from Ukrainian targets.
- The hacking group known as Shuckworm/Gamaredon/Armageddon has been active since 2014 and is linked to Russia’s FSB, focusing exclusively on obtaining intelligence on Ukrainian targets.
- These attacks have evolved over time, using new techniques of evasion, concealment, and constant updating to avoid detection and compromise the defenses of Ukrainian organizations.
The researchers have provided valuable insight into the nature of the attacks and the methods used by the hacking group operating under Russia’s Federal Security Service (FSB). These attacks have used USB-based malware to steal vast amounts of data from Ukrainian targets, in the context of Russia’s ongoing invasion of its smaller neighbor.
Access to confidential information
Researchers at Symantec, now owned by Broadcom, have discovered that the attacks have given hackers access to significant amounts of sensitive information.
Some affected organizations show indications that the attackers have been on the machines of the human resources departments, which suggests that obtaining information about the personnel of these organizations was one of the priorities for the attackers.
The group responsible for the attacks, identified by Symantec as Shuckworm and also known as Gamaredon and Armageddon by other researchers, has been active since 2014. A connection has been established between this group and Russia’s FSB, the country’s main security service. .
The main focus of this group is to obtain intelligence on Ukrainian targets, and their particular interest has been noted in areas where Ukrainian troops are deployed.
New infrastructure and malware used
In February, Shuckworm deployed a new malware command and control infrastructure that has managed to penetrate the defenses of multiple Ukrainian organizations, including the military, security services, and the government.
This group has used a PowerShell script, distributed via infected USB drives, as a new form of malware. The malicious script copies itself to the target machine and creates shortcut files with names like video_porn.rtf.lnk, no_delete.rtf.lnk, and evidence.rtf.lnk. These names, mostly in Ukrainian, are intended to lure targets into opening the files and installing the malware.
And, in order to remain undetected, Shuckworm has created dozens of variants and has rapidly rotated IP addresses and the infrastructure used for command and control. Furthermore, this group has taken advantage of legitimate services such as Telegram and its microblogging platform Telegraph for command and control, in an attempt to avoid detection of their activities.
Attack vectors and subjects used
Shuckworm uses phishing emails as an initial vector into target computers. These emails contain malicious attachments that masquerade as legitimate files, using extensions such as .docx, .rar, .sfx, lnk, and hta.
The subjects used in the emails often deal with topics related to armed conflict, criminal proceedings, fighting crime and child protection, with the aim of tricking recipients into opening the emails and clicking on the attachments.
Execution of malware and evolution of techniques
According to Symantec researchers, they have observed the typical pattern of malware execution on an infected computer. The first sign of malicious activity occurs when the user opens a RAR file, likely delivered via a phishing email, that contains a malicious document. After opening the document, a malicious PowerShell command is executed that downloads the payload from the attackers’ command and control server.
Shuckworm has recently expanded the use of IP addresses in its PowerShell scripts, possibly as an attempt to circumvent tracking methods used by researchers.
Additionally, they have been constantly updating the obfuscation techniques used in their PowerShell scripts, introducing up to 25 new variants per month between January and April 2023.
Indicators of commitment and warning by researchers
Symantec’s post provides a list of IP addresses, hashes, file names, and other indicators of compromise that can be used to detect if you have been attacked. Additionally, it is warned that the Shuckworm group poses a significant threat and should be taken seriously by the targets.