The Shuckworm espionage group (aka Gamaredon, Armageddon), believed to be linked to the Russian Federal Security Service (FSB), has been observed intensifying its cyber-attacks on Ukraine.
Discovered by the Symantec Threat Hunter Team, the new Shuckworm campaign focused on acquiring military and security intelligence to support potential invading forces.
In particular, it aimed to gain access to sensitive information, including reports about Ukrainian military service members, enemy engagements, air strikes, arsenal inventories and military training activities.
Initial access was obtained via phishing emails with malicious attachments of different file types. After that, Shuckworm deployed additional backdoors and tools onto targeted machines.
Symantec also observed the threat actor using a new PowerShell script to spread its custom backdoor malware, Pterodo, via USB drives.
“Many organizations forget about the threat that USB devices pose to organizations,” warned Erich Kron, security awareness advocate at KnowBe4.
“Because USB storage is portable by nature and is often used to share files and other information between individuals, it makes a great medium for distributing malware within networks.”
Overall, the new campaign displayed a high level of persistence, with some intrusions lasting for as long as three months.
To avoid detection, Shuckworm constantly updated its toolset. Symantec spotted up to 25 new variants of the group’s scripts observed per month between January and April 2023.
Additionally, it leveraged legitimate services like Telegram and its micro-blogging platform Telegraph to make it challenging to track its command-and-control infrastructure.
“To protect against these attacks, organizations should seriously consider whether the risk of using USB devices is worth it and ensure that antivirus software is scanning these portable devices any time they are plugged into a computer,” Kron added.
“In addition, because email phishing is once again a top attack vector, organizations should educate and train their users to spot and report phishing attempts.”