Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives

Shuckworm attacks Ukrainian companies

Symantec experts report that the Shuckworm hack group (aka Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, Winterflounder, and so on) is attacking Ukrainian companies using the Pterodo backdoor distributed via USB drives.

The main targets of hackers are important organizations in the military and IT sectors.

According to experts, in some cases, the group managed to organize long-term attacks that lasted up to three months, which in the end could give attackers access to “significant amounts of confidential information.”

Let me remind you that we also reported that TrickBot Hack Group Systematically Attacks Ukraine, and also that Microsoft Accuses Russia of Cyberattacks against Ukraine’s Allies.

The media also wrote that Sandworm Targets Ukraine With Industroyer2 Malware.

Shuckworm activity in 2023 spiked between February and March 2023, and hackers continued to have a presence on some compromised machines until May 2023.

To launch attacks, Shuckworm typically uses phishing emails containing malicious attachments disguised as .docx, .rar, .sfx, lnk, and hta files. Topics such as armed conflict, criminal prosecution, crime control, and child protection are often used as bait in emails to trick targets into opening the message itself and malicious attachments.

The new Shuckworm campaign debuted a new malware, which is a PowerShell script that distributes the Pterodo backdoor. The script is activated when infected USB drives are connected to the target computers. It first copies itself to the target machine to create an rtf.lnk shortcut file (video_porn.rtf.lnk, do_not_delete.rtf.lnk and evidence.rtf.lnk). Such names are an attempt to induce targets to open files so that Pterodo can infiltrate their machines.

The script then examines all drives connected to the target computer and copies itself to all attached removable drives for further lateral movement and in the hope of infiltrating isolated devices that are intentionally not connected to the internet to prevent them from being hacked.

To cover its tracks, Shuckworm has created dozens of malware variants (more than 25 PowerShell script variants between January and April 2023), and is rapidly changing IP addresses and infrastructure used for control and management.

The group also uses legitimate services to manage, including Telegram and the Telegraph platform, to avoid detection.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *