Russia-Backed Hackers Using New USB-based Malware to Acquire Ukraine’s Military Intelligence
Ukraine remains under constant risk because the Russian enlighten-backed hacking neighborhood Shuckworm (aka Armageddon or Gamaredon) continues to assign a immense different of cyber attacks, essentially focusing on the following organizations of Ukraine:-
- Security providers
- Navy
- Authorities
Knowledge-stealing tools were traditional by Russian hackers connected to the FSB, concentrating on Ukrainian government groups, as reported by cybersecurity researchers at Symantec.
They contaminated fresh systems the thunder of a Be conscious template trick and as a lot as this point variations of their “Pteranodon” malware.
Shuckworm TTPs Utilizing USB Malware
Lately to unfold and infect more systems within compromised networks, it has been detected that the risk actors receive adopted the usage of USB malware.
In their most up-to-date marketing campaign, Shuckworm models its sights on HR departments since risk actors idea to start spear-phishing attacks against organizations which receive already been compromised.
Utilizing phishing emails as their principal tactic, Shuckworm positive aspects gain admission to to sufferer machines and disseminates malware for preliminary an infection.
The attackers target Ukrainian victims through emails containing malicious attachments in varied file codecs, and right here below we receive now mentioned them:-
- .docx
- .rar (RAR archive recordsdata)
- .sfx (self-extracting archives)
- .lnk
- .hta (HTML smuggling recordsdata)
In the direction of present activities, consultants seen that the neighborhood integrated official providers fancy Telegram into their account for and regulate (C&C) infrastructure.
To store their account for and regulate (C&C) addresses, no longer too prolonged in the past, it has been detected that they also traditional the “Telegraph,” a micro-blogging platform of Telegram.
Shuckworm TTPs Assault Chain
As acknowledged by Symantec’s analysts, Shuckworm’s task experienced a basic surge from February to March 2023.
Until Would possibly perchance additionally 2023, the hackers persevered to be on explicit compromised machines. Symantec examined 25 diversified lessons of PowerShell scripts between January and April 2023.
By the thunder of the “.rtk.lnk” extension, the PowerShell script replicates itself on the compromised machine and generates a shortcut file.
After the sufferer opens those recordsdata, the PowerShell script scans the laptop’s drives and copies itself onto removable USB drives. As a consequence, the script positive aspects enhanced mobility all the blueprint in which during the compromised community.
Symantec’s analysts uncovered a file named “foto.protected” on no doubt one of many machines that Gamaredon infiltrated this twelve months. The file used to be acknowledged to be a PowerShell script encoded in base64.
Furthermore, Shuckworm is anticipated to proceed its cyberattacks on Ukraine. Not handiest that even, however the neighborhood can be at risk of change its tools and tactics to steal records that could additionally lend a hand the Russian defense drive to assign its operations efficiently.
Source credit : cybersecuritynews.com