Gamaredon: Uses PowerShell USB malware to drop backdoors

Gamaredon: Uses PowerShell USB malware to drop backdoors

Russia-linked state-sponsored cyber-espionage group Gamaredon (Armageddon, UAC-0010) continues its relentless attacks against government entities, and organizations in Ukraine’s military and security intelligence sectors, using updated malware tools, according to a new report from Symantec threat intelligence team.

The research team at Symantec – part of Broadcom – reported today that threat actors have recently begun using USB malware to spread to additional systems within infected networks.

What is Gamaredon?

Gamaredon has been active since at least 2014 and is one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine. Ukrainian officials have linked the group to the Russian Federal Security Service (FSB).

The threat actor uses phishing emails for malware distribution and provides access to compromised networks and intelligence to other cybercriminals.

The phishing lures observed in the most recent Gamaredon’s campaigns dating February/March 2023 include topics related to armed conflicts, criminal proceedings, combating crime, and the protection of children.

The attacks also involved a new PowerShell script used to deploy Gamaredon’s custom backdoor Pterodo, via USB. The Symantec team also notes that they have seen what appears to be a known Shuckworm backdoor called Giddome used for data exfiltration.

PowerShell copies itself to the infected machine and creates a shortcut file using an rtk.lnk extension. The LNKs generated by the script are given a wide range of names, some chosen specifically to pique the victim’s interest such as:

  • weapons_list.rtf.lnk
  • secret.rtf.lnk
  • pornophoto.rtf.lnk
  • my_photos.rtf.lnk
  • login_password.docx.lnk
  • compromising_evidence.rtf.lnk
  • instructions.rtf.lnk
  • account_card.rtf.lnk
  • bank_accоunt.rtf.lnk

The group is also leveraging legitimate services to act as command-and-control servers, however, Gamaredon uses C&C infrastructure only for a short period of time.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!