Russia-Backed Hackers Using New USB-based Malware to Acquire Ukraine’s Military Intelligence

Ukraine remains under constant threat as the Russian state-sponsored hacking group Shuckworm (aka Armageddon or Gamaredon) continues to carry out numerous cyber attacks, mainly focusing on the following organizations of Ukraine:-

  • Security services
  • Military
  • Government

Information-stealing tools were used by Russian hackers connected to the FSB, targeting Ukrainian government groups, as reported by cybersecurity researchers at Symantec.

They infected new systems using a Word template trick and updated versions of their “Pteranodon” malware.

Shuckworm TTPs Using USB Malware

Recently to spread and infect more systems within compromised networks, it has been detected that the threat actors have adopted the use of USB malware.

In their latest campaign, Shuckworm sets its sights on HR departments since threat actors plan to launch spear-phishing attacks against organizations that have already been compromised.

Using phishing emails as their primary tactic, Shuckworm gains access to victim machines and disseminates malware for initial infection.

The attackers target Ukrainian victims through emails containing malicious attachments in various file formats, and here below we have mentioned them:-

  • .docx
  • .rar (RAR archive files)
  • .sfx (self-extracting archives)
  • .lnk
  • .hta (HTML smuggling files)

During recent activities, experts noticed that the group incorporated legitimate services like Telegram into their command and control (C&C) infrastructure.

To store their command and control (C&C) addresses, recently, it has been detected that they also used the “Telegraph,” a micro-blogging platform of Telegram.

Shuckworm TTPs Attack Chain

As identified by Symantec’s analysts, Shuckworm’s activity experienced a notable surge from February to March 2023.

Until May 2023, the hackers continued to be on specific compromised machines. Symantec tested 25 different categories of PowerShell scripts between January and April 2023.

By employing the “.rtk.lnk” extension, the PowerShell script replicates itself on the compromised machine and generates a shortcut file.

After the victim opens those files, the PowerShell script scans the computer’s drives and copies itself onto removable USB drives. As a result, the script gains enhanced mobility within the compromised network.

Symantec’s analysts uncovered a file named “foto.safe” on one of the machines that Gamaredon infiltrated this year. The file was identified to be a PowerShell script encoded in base64.

Moreover, Shuckworm is expected to continue its cyberattacks on Ukraine. Not only that even, but the group is also likely to update its tools and techniques to steal data that could help the Russian military to execute its operations successfully.

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.