Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor

Shuckworm and the Pteredo backdoor

Specialists from the cybersecurity company Symantec reported attacks by the cybercriminal group Shuckworm (Armageddon or Gamaredon) on Ukrainian organizations using a new version of the Pteredo (Pteranodon) custom backdoor.

The group, linked by experts to Russia, has been carrying out cyber-espionage operations against Ukrainian government organizations since at least 2014.

Attacks of Shuckworm have continued unabated since the Russian invasion of the country. While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region. Symantec specialists say.

According to experts, the group carried out more than 5 thousand cyberattacks on 1.5 thousand public and private enterprises in the country.

By the way, we talked about the fact that hacker groups split up: some of them support Russia, others Ukraine.

Pteredo has its origins in hacker forums, where it was acquired by Shuckworm in 2016. Hackers began active development of the backdoor, adding DLL modules to it for data theft, remote access, and penetration analysis.

In addition to Pteredo, Shuckworm has also used the UltraVNC remote access tool and Microsoft’s Process Explorer to process DLL processes in recent attacks.

Note: Let me remind you that even before the escalation of hostilities, Microsoft discovered the WhisperGate wiper attacking Ukrainian users.

If we compare Shuckworm attacks on Ukrainian organizations since January 2022, we can conclude that the group has hardly changed its tactics. In previous attacks, variants of Pteredo were downloaded to the attacked systems using VBS files hidden inside the document attached to the phishing email.

The Symantec Threat Hunter team has identified four different Pterodo variants that have been used in recent attacks. They are all Visual Basic Script (VBS) droppers with similar functionality. They dump the VBScript file, use scheduled tasks (shtasks.exe) for persistence, and download additional code from the C&C server. All built-in VBScripts were very similar to each other and used similar obfuscation techniques.Bleeping Computer journalists told

7-Zip files are unzipped automatically, which minimizes user interaction (the same files were used in the January attacks).

For example, one variant of Pteredo is a modified self-extracting archive containing obfuscated VBScripts that can be decompressed with 7-Zip. It then adds them as a scheduled task to ensure persistence:

Shuckworm and the Pteredo backdoor

The script also copies itself to [USERPROFILE]\ntusers.ini file.

The two newly created files are more obfuscated VBScripts.

  • The first is designed to gather system information, such as the serial number of the C: drive, and sends this information to a C&C server.
  • The second adds another layer of persistence by copying the previously dropped ntusers.ini file to another desktop.ini file.

Although Shuckworm is a highly professional group, its infection tools and tactics have not improved over the past few months, making it easier to detect and simplify methods of protection.

Currently, Pteredo is still actively developed, which means that hackers can work on a more advanced, powerful and undetectable version of the backdoor, as well as modify their attack chain.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

1 comment

Leave a comment

Your email address will not be published. Required fields are marked *