Russian Hackers Using USB Malware to Target Ukraine – Source: www.databreachtoday.com

Cyberwarfare / Nation-State Attacks
,
Endpoint Security
,
Fraud Management & Cybercrime

Gamaredon Spreads Custom Backdoor Through Thumb Drives

Prajeet Nair (@prajeetspeaks) •
June 16, 2023    

A Russian government-linked threat group is using USB drives to spread a custom backdoor in a possible bid to reach air-gapped machines, said security researchers.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

The threat actor, dubbed Shuckworm by Symantec and also known as Gamaredon and Primitive Bear, is engaged in a cyberespionage campaign for information including the deaths of Ukrainian military service members, military engagements and weapons inventories.

The Security Service of Ukraine in 2021 identified the group, which it tracks as Armageddon, as a unit of Russian security service FSB operating in Crimea.

Gamaredon uses phishing emails as an initial infection vector to gain access to the victim’s machine and distribute malware. Lures include subjects such as armed conflict, crime, and protecting children.
Symantec said the majority of attacks in this campaign began around February, and in some cases attackers maintained presence on victim machines until May.

Ukrainian cyber defenders earlier this year concluded that Russian hackers are prioritizing espionage over disruption as the Kremlin’s war of conquest grinds onward (see: Ukraine Tracks Increased Russian Focus on Cyberespionage).

Once loaded, some versions of Gamaredon malware use a PowerShell script to copy the Gamaredon backdoor, known as Pterodo, onto USB drives if they are present.

The PowerShell script observed by researchers copies itself onto the infected machine and creates a shortcut file using an rtk.lnk extension. These scripts use porn_video.rtf.lnk, do_not_delete.rtf.lnk and as file names to entice individuals to open the files. These file names are generally in Ukrainian, but some are also in English.

Researchers also observed attackers leveraging legitimate services, including the Telegram messaging service, to act as command-and-control servers. Gamaredon also uses Telegram’s microblogging platform, called Telegraph, to store C2 addresses.

The threat group uses SSL certificates that have some commonalities that Symantec said can be used to track its activities. In addition, the researchers spotted Giddome, an info stealer tool commonly used by Gamaredon, deployed on victim networks.