The malicious campaign was discovered by researchers from Symantec, which is now owned by Broadcom. It is reported that the sectors and nature of the organizations and computers targeted by the attacks may have allowed attackers to access significant amounts of sensitive information. In some organizations, there were signs that the attackers were working on the computers of the personnel departments – this indicates that information about employees and personnel of the Armed Forces is a priority for hackers.

what is known

The group Symantec watches as Shuckworm is called Gamaredon or Armageddon by other researchers. It has been operating since 2014, is linked to Russia’s FSB and focuses solely on obtaining intelligence on Ukrainian targets. In 2020, researchers at security company SentinelOne said these hackers “attacked more than 5,000 separate organizations across Ukraine, paying particular attention to areas where Ukrainian forces are stationed.”

This campaign released new malware in the form of a PowerShell script that spreads Pterodo, a backdoor created by Shuckworm. The script is activated when infected USB drives are connected to target computers. The malicious script first copies itself to the victim’s computer and creates a quick access file with the extension rtf.lnk. The files have names like video_porn.rtf.lnk, do_not_delete.rtf.lnk, and proof.rtf.lnk. According to the source, the names are an attempt to persuade victims to open these files in order to install Pterodo on their computer.

The script then enumerates all drives connected to the target computer and copies itself to all connected removable drives in the hopes of intentionally infecting any device not connected to the Internet, possibly to prevent them from being hacked.

To cover their tracks, Shuckworm created dozens of variants and quickly changed IP addresses and the infrastructure it used for command and control. The group also uses legal services such as Telegram and the Telegraph microblogging platform for command and control to avoid exposure.

Shuckworm often uses phishing emails as the first vector to infiltrate victims’ computers. Emails contain malicious attachments disguised as files with extensions .docx, .rar, .sfx, lnk, and hta. Emails often use topics such as gunfight, criminal litigation, crime fighting, and child protection as bait to get the victim to open the email and click on attachments.

Shuckworm also continues to update its cloaking techniques to avoid detection: From January to April 2023, up to 25 new variants of this group’s scripts were released each month.