Saturday, January 25, 2025
HomeCyber Security NewsShuckworm Group uses Weaponized Word Document to Infect Victims Computer

Shuckworm Group uses Weaponized Word Document to Infect Victims Computer

Published on

SIEM as a Service

Follow Us on Google News

Symantec’s Threat Hunter team has recently discovered a hacking group which is dubbed as Shuckworm that has its root links with Russia using weaponized word documents to infect their targets’ computers in Ukraine.

This Russian-linked hacking group, Shuckworm, has been active since 2013, and it’s mainly specialized in operating cyber-espionage campaigns against the entities in Ukraine. While this group has other names and here they are:-

  • Gamaredon
  • Armageddon

The Shuckworm hacking group is believed to be operating directly from the Russian FSB (Federal Security Service). The operators of Shuckworm use phishing emails to distribute the following things:-

  • Remote Manipulator System (RMS)
  • UltraVNC
  • Pterodo/Pteranodon (Customized malware)

However, in recent times this group has sophisticatedly developed all its TTPs and used them to steal their victims’ credentials and infect the network to move laterally.

Files used by Shuckworm

The hackers spotted using seven files in their recent attacks, and all seven files are 7-zip SFX self-extracting binaries. Here are files used by the hackers:-

  • descend.exe: Runs to save a VBS file to “% USERPROFILE% \ Downloads \ deerbrook.ppt” and “% PUBLIC% \ Pictures \ deerbrook.ppt”
  • deep-sunken.exe: Runs to drop four more files on the compromised computer.
  • z4z05jn4.egf.exe: Throws the files in different folders and then uses different file names.
  • defiant.exe: Runs to save VBS files to “% TEMP% \\ deep-versed.nls” and “% PUBLIC \ Pictures \ deep-versed.nls”
  • deep-green.exe: UltraVNC remote management tool
  • deep-green.exe: Process Explorer is a freeware task manager and system monitor for Microsoft Windows.
  • deep-green.exe: Throws the files in different folders and then uses different file names.
  • deep-green.exe: Removes VBS on “% PUBLIC% \ Music \”

On the compromised machine, a number of documents were opened from several locations before the VNC client installation to create confusion and increase the complexity. 

As doing so helps the threat actors to collect and exfiltrate sensitive information from the compromised system of their target. Moreover, the documents that are accessed by the threat actors range from job descriptions to sensitive information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...