{"id":2736,"date":"2025-04-10T21:08:51","date_gmt":"2025-04-10T21:08:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2736"},"modified":"2025-04-10T21:08:51","modified_gmt":"2025-04-10T21:08:51","slug":"russian-shuckworm-apt-is-back-with-updated-gammasteel-malware","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2736","title":{"rendered":"Russian Shuckworm APT is back with updated GammaSteel malware"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A cyberespionage group of Russian origin that has targeted entities from Ukraine, or from countries that are helping Ukraine, has recently launched an attack against the military of a Western nation using an updated version of the GammaSteel malware.<\/p>\n

Shuckworm, also known as Gamaredon<\/a>, Aqua Blizzard, or Primitive Bear, is an APT group that is believed to be linked to the Russian Federal Security Service (the FSB). The group has targeted government, law enforcement, NGOs, and defense organizations in Ukraine for over a decade, with the first attacks reported in 2013. (Read more about the history of Russian cyberattacks on Ukraine<\/a>.)<\/p>\n

In a new campaign<\/a> observed in February by researchers from Broadcom\u2019s Symantec, the target was the military mission of an unnamed Western country in Ukraine. It used a complex attack chain with a series of obfuscated scripts and a new PowerShell-based version of the GammaSteel infostealer.<\/p>\n

\u00a0\u201cWhile the group does not appear to have access to the same skill set as some other Russian groups, Shuckworm does now appear to be trying to compensate for this by continually making minor modifications to the code it uses, adding obfuscation, and leveraging legitimate web services, all to try lower the risk of detection,\u201d the Symantec researchers said.<\/p>\n

Attack chain launched from external drive<\/h2>\n

The infection analyzed by Symantec seems to have started with a Windows Shortcut file called files.lnk<\/em>, launched from an external drive. This was recorded under the UserAssist key in the Registry, which stores a record of files, links, applications, and objects accessed by the current user through Windows Explorer.<\/p>\n

After that file was executed, it launched mshta.exe<\/em>, a Windows binary that can be used to execute VBScript and JScript locally on Windows. In this case, it was used to execute a JavaScript command that invoked an ActiveX object and used wscript.exe<\/em> to execute a file called ~.drv<\/em>.<\/p>\n

This is a highly obfuscated file whose execution resulted in the creation of two additional files with names of the format NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms<\/em>. The goal of one of the files is to contact the attackers\u2019 command-and-control (C2) server and maintain a persistent connection with it.<\/p>\n

The C2 servers\u2019 IP addresses are obtained by contacting URLs hardcoded in the file and retrieving the current addresses from them. The result is two IP addresses and a domain name that all point to attacker-controlled servers.<\/p>\n

\u201cThe [C2] server is similar to others that have been used by Shuckworm in the past, as shown in an investigation by Recorded Future where the group leveraged Cloudflare tunnels for their [C2] infrastructure,\u201d the researchers said.<\/p>\n

The second file in the attack chain modifies Registry values in order to change how Windows Explorer displays hidden and system files. It then infects any removable drives attached to the computer by copying .lnk files into any directories found on them. This is behavior typical of USB worms.<\/p>\n

The file names observed by Symantec were in Ukrainian, but translate to terms such as: \u201cConduct plan\u201d, \u201cSpecial message\u201d, \u201cletter to\u201d, \u201cSPECIAL INSPECTION\u201d, \u201cWound report\u201d, \u201cdeployment\u201d, \u201cAIR DEFENSE COMBAT ORDER\u201d, \u201cCommander\u2019s decision on defense\u201d, \u201cObligation\u201d, \u201cCombat calculation\u201d, \u201cGUR support\u201d, \u201cInformation on the dead\u201d, \u201cBMP\u201d, \u201ccontract extension\u201d, and \u201cReference about meeting with the source\u201d.<\/p>\n

On one machine, the researchers observed the C2 server delivering obfuscated code which was then launched via PowerShell. This started a chain of obfuscated scripts that reached out to more servers and downloaded additional PowerShell scripts.<\/p>\n

One script served as a reconnaissance tool collecting information about the computer, including system information, the name of security software running, available space on disks, the directory tree of the Desktop folder, and a list of all running processes. All this collected information was sent back to the C2 server.<\/p>\n

New GammaSteel variant<\/h2>\n

The second script was a PowerShell version of GammaSteel that exfiltrated all files with certain extensions from specified directories such as Desktop, Download, and Documents. The targeted extensions included .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt and .pdf.<\/p>\n

The new GammaSteel version uses PowerShell web requests to exfiltrate files, and if it fails, it then falls back to using the cURL command line tool with a Tor proxy to send data out. There is also code that suggests the web service write.as<\/em> was potentially used as a fallback data exfiltration channel as well.<\/p>\n

\u201cThis attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors, though it compensates for this with its relentless focus on targets in Ukraine,\u201d the researchers said.<\/p>\n

The Symantec\u00a0report includes indicators of compromise such as file hashes, file names, URLs, IP addresses, and more, that can be used by security teams to build detections or threat hunting rules.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A cyberespionage group of Russian origin that has targeted entities from Ukraine, or from countries that are helping Ukraine, has recently launched an attack against the military of a Western nation using an updated version of the GammaSteel malware. Shuckworm, also known as Gamaredon, Aqua Blizzard, or Primitive Bear, is an APT group that is […]<\/p>\n","protected":false},"author":0,"featured_media":2728,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2736"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2736"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2736\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2728"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}