Created with Sketch. Created with Sketch.
Infostealer appears to be payload in recent activity aimed at Ukrainian organizations.

Infostealer appears to be payload in recent activity aimed at Ukrainian organizations.

Posted by HSSL Technologies on Sep 14th 2022

Recent Shuckworm activity observed by Symantec, a division of Broadcom Software, and aimed at Ukraine appears to be delivering information-stealing malware to targeted networks. This activity was ongoing as recently as August 8, 2022 and much of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26.

The activity observed by Symantec began on July 15, and we have additional indicators of compromise (IOCs) and technical details to share about this campaign.

Shuckworm (aka Gamaredon, Armageddon) is a Russia-linked group that has almost exclusively focused its operations on Ukraine since it first appeared in 2014. It is generally considered to be a state-sponsored espionage operation.
Infection Vector

The first suspicious activity Symantec saw on victim systems was a self-extracting 7-Zip file, which was downloaded via the system’s default browser. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file.

These files were downloaded from the following domain: a0698649[.]xsph[.]ru. It has been publicly documented since May 2022 that subdomains of xsph[.]ru are associated with Shuckworm activity, and this domain was once again mentioned in CERT-UA’s July 26 publication about Shuckworm activity.

This domain was also associated with an email that spoofed being from the Security Service of Ukraine and had “Intelligence Bulletin” in the subject line, according to CERT-UA. This being the case, it is most likely the 7-Zip file seen on victim networks in the campaign observed by Symantec was delivered to victims via email.
Attack Chain

The downloading of the XML file onto victim networks was followed by the execution of a PowerShell stealer. We saw three versions of the same PowerShell stealer appear on the one system. It’s possible the attackers may have deployed multiple versions of the stealer, which were all very similar, as an attempt to evade detection.

Two VBS downloaders that had the words “juice” and “justice” in their file names were also observed on victim machines. Analysis found that these were Backdoor.Pterodo, a well-known Shuckworm tool that Symantec blogged about earlier this year. These scripts are capable of calling PowerShell, uploading screenshots, and also executing code downloaded from a command-and-control (C&C) server.

Various suspicious files containing “ntuser” in the file names were also seen on victim machines. We associate these “ntuser” files with Shuckworm activity, and many variants of them are malicious, with most detected as the Giddome backdoor, another well-known Shuckworm tool.

We saw various parent processes with file names that had VCD, H264 and ASC extensions. A file named ntuser.dat.tmcontainer.vcd was the parent process for a Giddome backdoor variant named ntuser.dat.tm.descendant.exe that was seen on victim machines. A suspicious file named ntuser.dat.tmcontainer.h264 had a child process named ntuser.dat.tm.declare.exe, another malicious Giddome backdoor binary. Elsewhere, a file named ntuser.dat.tmcontainer.asc had a child process named ntuser.dat.tm.decay.exe.

VCD files are disc images of a CD or DVD and are recognized by Windows as an actual disc, similar to ISO files, which we commonly see malicious actors use to deliver payloads. An ASC file is an encrypted file that may contain text or binary information encoded as text, while an H264 file is a video file. However, filenames with the ntuser.dat.tmcontainer prefix are files that represent the registry.

It’s not clear if these are the actual file types, or if the attackers are using these file names as a means of sowing confusion.

The backdoor dropped on victim systems had the file name 4896.exe. This backdoor had multiple capabilities, including:

Record audio using the microphone and upload the recorded files to a remote location
Take screenshots and upload them
Log and upload keystrokes
Download and execute .exe files or download and load DLL files

The legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk were both also leveraged by the attackers for remote access. Legitimate RDP tools like these and others are frequently leveraged for remote access by attackers in both ransomware and nation-state-backed cyber attacks.
Shuckworm Keeps Focus on Ukraine

This campaign, combined with previous public reporting on Shuckworm, shows some patterns in the operations of the group at the moment, including its reuse of patterns, e.g. paths (such as csidl_profile\music), using files that contain "ntuser.dat" in the file name, using various artifacts that contain, for example, "judgement" in the file name, and also leveraging EXE files whose file names contain English words that begin with "D", “dat”, “decay”, “deer”, “declare”, etc.

As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations.