Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Russian Hackers Using USB Malware to Target Ukraine

Gamaredon Spreads Custom Backdoor Through Thumb Drives
Russian Hackers Using USB Malware to Target Ukraine
Image: Shutterstock

A Russian government-linked threat group is using USB drives to spread a custom backdoor in a possible bid to reach air-gapped machines, said security researchers.

See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing

The threat actor, dubbed Shuckworm by Symantec and also known as Gamaredon and Primitive Bear, is engaged in a cyberespionage campaign for information including the deaths of Ukrainian military service members, military engagements and weapons inventories.

The Security Service of Ukraine in 2021 identified the group, which it tracks as Armageddon, as a unit of Russian security service FSB operating in Crimea.

Gamaredon uses phishing emails as an initial infection vector to gain access to the victim's machine and distribute malware. Lures include subjects such as armed conflict, crime, and protecting children. Symantec said the majority of attacks in this campaign began around February, and in some cases attackers maintained presence on victim machines until May.

Ukrainian cyber defenders earlier this year concluded that Russian hackers are prioritizing espionage over disruption as the Kremlin's war of conquest grinds onward (see: Ukraine Tracks Increased Russian Focus on Cyberespionage).

Once loaded, some versions of Gamaredon malware use a PowerShell script to copy the Gamaredon backdoor, known as Pterodo, onto USB drives if they are present.

The PowerShell script observed by researchers copies itself onto the infected machine and creates a shortcut file using an rtk.lnk extension. These scripts use porn_video.rtf.lnk, do_not_delete.rtf.lnk and as file names to entice individuals to open the files. These file names are generally in Ukrainian, but some are also in English.

Researchers also observed attackers leveraging legitimate services, including the Telegram messaging service, to act as command-and-control servers. Gamaredon also uses Telegram's microblogging platform, called Telegraph, to store C2 addresses.

The threat group uses SSL certificates that have some commonalities that Symantec said can be used to track its activities. In addition, the researchers spotted Giddome, an info stealer tool commonly used by Gamaredon, deployed on victim networks.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.