Russian Hackers Use PowerShell USB Malware to Drop Backdoors
The Russian state-sponsored hacking group Gamaredon (aka Armageddon or Shuckworm) continues to target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics. Previously, the Russian hackers, who have been linked to the FSB, were observed using information-stealers against Ukrainian state organizations, employing new variants of their "Pteranodon" malware, and also using a default Word template hijacker for new infections. Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks (Bleeping Computer, 2023).
This newest campaign by Gamaredon has been seen targeting HR departments, potentially indicating that threat actors will use breached HR accounts to carryout further spear-phishing attacks within breached organizations. According to Symantec, Gamaredon was very active between February and March of 2023, but have maintained persistence on some compromised networks until May 2023.
Gamaredon continues to rely on phishing emails for initial compromise, while its targets include government, military, security, and research organizations, focusing on their Human Resources departments.
The Russian state-sponsored hacking group Gamaredon (aka Armageddon or Shuckworm) continues to target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics. Previously, the Russian hackers, who have been linked to the FSB, were observed using information-stealers against Ukrainian state organizations, employing new variants of their "Pteranodon" malware, and also using a default Word template hijacker for new infections. Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks (Bleeping Computer, 2023).
This newest campaign by Gamaredon has been seen targeting HR departments, potentially indicating that threat actors will use breached HR accounts to carryout further spear-phishing attacks within breached organizations. According to Symantec, Gamaredon was very active between February and March of 2023, but have maintained persistence on some compromised networks until May 2023.
Gamaredon continues to rely on phishing emails for initial compromise, while its targets include government, military, security, and research organizations, focusing on their Human Resources departments.
Security Officer Comments:
The phishing emails carry RAR, DOCX, SFX, LNK, and HTA attachments that, if opened, launch a PowerShell command that downloads a 'Pterodo' payload from the attacker's (C2) server. There were roughly 25 PowerShell script variants used between January and April of 2023, these used various levels of obfuscation and pointed to different Pterodo download IP addresses to resist static detection rules. Once executed, the PowerShell copies itself onto infected machines and creates a shortcut file rtk[.]lnk. This LNK uses a broad range of names to entice victims into clicking further.
If the victim launches any of the LNK files, the PowerShell script will enumerate all drives on the computer and copy itself to any removable USB disks. Because USB devices can be moved between machines, threat actors can increase their likelihood of lateral movement.
One one of the machines compromised by Gamaredon this year, Symantec's analysts found a "foto[.]safe" file that is a base64-encoded PowerShell script. Symantec says that the device was infected after an infected USB key was plugged into the device. However, it is unclear how the USB drive became infected in the first place. "These USB drives are likely used by the attackers for lateral movement across victim networks and may be used to help the attackers reach air-gapped machines within targeted organizations," warned Symantec.
Syma
ntec expects Gamaredon to remain laser-focused on Ukraine, continuing to refresh their tools and enrich their attack tactics as they target data that could be useful in Russia's military operations.
MITRE ATT&CK:
T1566.002 - Phishing: Spearphishing Link
Spearphishing emails used to target Ukrainian HR departments.
T1204.002 - User Execution: Malicious File
Users are tricked into clicking on malicious LNK files with unique lures.
T1059.001 - Command and Scripting Interpreter: PowerShell
LNK files launches PowerShell script that downloads additional payloads.
T1027 - Obfuscated Files or Information
PowerShell script variants used between January and April of 2023 had various levels of obfuscation.
T1105 - Ingress Tool Transfer
PowerShell command that downloads a 'Pterodo' payload from the attacker's (C2) server.
T1091 - Replication Through Removable Media
PowerShell script will enumerate all drives on the computer and copy itself to any removable USB disks.
Suggested Correction(s):
Users should follow phishing best practices, such as:
Additionally, organizations should review their USB policies and decide if USB devices are necessary in your environment. USB’s can be disabled via Group policies, or by more extreme measures like physically removing or blocking USB ports on corporate devices.
Source: https://www.bleepingcomputer.com/ The phishing emails carry RAR, DOCX, SFX, LNK, and HTA attachments that, if opened, launch a PowerShell command that downloads a 'Pterodo' payload from the attacker's (C2) server. There were roughly 25 PowerShell script variants used between January and April of 2023, these used various levels of obfuscation and pointed to different Pterodo download IP addresses to resist static detection rules. Once executed, the PowerShell copies itself onto infected machines and creates a shortcut file rtk[.]lnk. This LNK uses a broad range of names to entice victims into clicking further.
If the victim launches any of the LNK files, the PowerShell script will enumerate all drives on the computer and copy itself to any removable USB disks. Because USB devices can be moved between machines, threat actors can increase their likelihood of lateral movement.
One one of the machines compromised by Gamaredon this year, Symantec's analysts found a "foto[.]safe" file that is a base64-encoded PowerShell script. Symantec says that the device was infected after an infected USB key was plugged into the device. However, it is unclear how the USB drive became infected in the first place. "These USB drives are likely used by the attackers for lateral movement across victim networks and may be used to help the attackers reach air-gapped machines within targeted organizations," warned Symantec.
Symantec expects Gamaredon to remain laser-focused on Ukraine, continuing to refresh their tools and enrich their attack tactics as they target data that could be useful in Russia's military operations.
MITRE ATT&CK:
T1566.002 - Phishing: Spearphishing Link
Spearphishing emails used to target Ukrainian HR departments.
T1204.002 - User Execution: Malicious File
Users are tricked into clicking on malicious LNK files with unique lures.
T1059.001 - Command and Scripting Interpreter: PowerShell
LNK files launches PowerShell script that downloads additional payloads.
T1027 - Obfuscated Files or Information
PowerShell script variants used between January and April of 2023 had various levels of obfuscation.
T1105 - Ingress Tool Transfer
PowerShell command that downloads a 'Pterodo' payload from the attacker's (C2) server.
T1091 - Replication Through Removable Media
PowerShell script will enumerate all drives on the computer and copy itself to any removable USB disks.
Suggested Correction(s):
Users should follow phishing best practices, such as:
Do not open emails or download software from untrusted sources Do not click on links or attachments in emails that come from unknown senders Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion) Always verify the email sender's email address, name, and domain Protect devices using antivirus, anti-spam and anti-spyware software Report phishing emails to the appropriate security or I.T. staff immediately
Additionally, organizations should review their USB policies and decide if USB devices are necessary in your environment. USB’s can be disabled via Group policies, or by more extreme measures like physically removing or blocking USB ports on corporate devices.
Link(s):
https://www.bleepingcomputer.com/