Russian hackers strike again in Ukraine

Russian state hackers carry out one cyber attack after another on Ukrainian targets. For this they use various variants of the Pterodo malware. The perpetrators hope to cause as much damage as possible by means of an intensive and sustained attack campaign.

That concludes the Threat Hunter Team of cybersecurity company Symantec in an analysis.

Russian hacker group Shuckworm is behind recent cyber attacks

Security researchers suspect that the Russian hacker group Shuckworm – also known as Gamaredon and Armageddon – is responsible for the attacks. Since 2014, the group has focused almost exclusively on Ukraine. More than 5,000 cyber-attacks are attributed to the hacker collective. Since the Russian invasion of the neighbouring country in late February, Shuckworm members have continued to carry out cyber attacks.

“While the group’s tools and tactics are simple and at times crude, the frequency and persistence of its attacks means it remains one of the top cyber threats to organizations in the region,” Symantec writes. A characteristic of Shuckworm’s attacks is that the hackers deploy multiple malware payloads to infect computer systems.

Four variants of Pterodo malware in circulation

Cybersecurity experts at Symantec say they are different variants of the same malware: Backdoor.Pterodo. The variants are designed to perform similar tasks. The big difference is that they each communicate with a different Command & Control server (C&C or C2 server). Should one be detected and blocked, the other variants will take over from each other.

According to the researchers of Symantec’s Threat Hunter Team, there are four variants of the malware in circulation. These have been renamed Backdoor.Pterodo.B, Backdoor.Pterodo.C, Backdoor.Pterodo.D and Backdoor.Pterodo.E.

How Pterodo malware works

They are all so-called Visual Basic Script (VBS) droppers. These are scripts that are used to automate tasks on Microsoft’s Windows operating system. They take a lot of work from system administrators, but can also be used by hackers for malicious purposes.

“They drop a VBScript file, use Scheduled Tasks (shtasks.exe) to maintain persistence, and download additional code from a C&C server. All embedded VBScripts are very similar and use similar obfuscation techniques,” said Symantec.

Shuckworm uses multiple tools to carry out cyber attacks

In addition to the Pterodo malware, Shuckworm also deploys other tools to carry out cyberattacks on Ukrainian targets. One of these is UltraVNC, an open-source remote desktop solution. Security researchers have also observed attacks involving Process Explorer. That is a utility from Microsoft designed to find out which DLL processes have been opened or loaded.

Sandworm also active in Ukraine

Since the outbreak of the war between Russia and Ukraine, cyber-attacks have been happening back and forth. Recently, Sandworm hackers attacked a Ukrainian energy supplier, not to be confused with Shuckworm. The aim was to disable important facilities in Ukraine. The attack on the energy grid failed.

The same hacker group, with close ties to the Kremlin, launched a malware attack called Cyclops Blink last month. The perpetrators tried to steal and delete data with this. They also tried to add new computers – also called zombies – to their botnet. American and British government agencies managed to repel the attack.

Russia wants to end cyber-aggression

Russia denies having anything to do with the cyberattacks on Ukrainian companies and agencies. Russia’s foreign ministry warned “anonymous hackers and provocateurs” in late March to stop “cyber aggression”  against the country.

“There can be no doubt that the cyber-aggression unleashed against Russia will have serious consequences for the instigators and the perpetrators. The source of the attacks will be traced. The attackers will inevitably bear responsibility for their actions, in accordance with the requirements of the law,” the ministry said in a statement.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts