Shuckworm campaign

Symantec’s Threat Hunter team has recently discovered a hacking group which is dubbed as Shuckworm that has its root links with Russia using weaponized word documents to infect their targets’ computers in Ukraine.

This Russian-linked hacking group, Shuckworm, has been active since 2013, and it’s mainly specialized in operating cyber-espionage campaigns against the entities in Ukraine. While this group has other names and here they are:-

  • Gamaredon
  • Armageddon

The Shuckworm hacking group is believed to be operating directly from the Russian FSB (Federal Security Service). The operators of Shuckworm use phishing emails to distribute the following things:-

  • Remote Manipulator System (RMS)
  • UltraVNC
  • Pterodo/Pteranodon (Customized malware)

However, in recent times this group has sophisticatedly developed all its TTPs and used them to steal their victims’ credentials and infect the network to move laterally.

Files used by Shuckworm

The hackers spotted using seven files in their recent attacks, and all seven files are 7-zip SFX self-extracting binaries. Here are files used by the hackers:-

  • descend.exe: Runs to save a VBS file to “% USERPROFILE% \ Downloads \ deerbrook.ppt” and “% PUBLIC% \ Pictures \ deerbrook.ppt”
  • deep-sunken.exe: Runs to drop four more files on the compromised computer.
  • z4z05jn4.egf.exe: Throws the files in different folders and then uses different file names.
  • defiant.exe: Runs to save VBS files to “% TEMP% \\ deep-versed.nls” and “% PUBLIC \ Pictures \ deep-versed.nls”
  • deep-green.exe: UltraVNC remote management tool
  • deep-green.exe: Process Explorer is a freeware task manager and system monitor for Microsoft Windows.
  • deep-green.exe: Throws the files in different folders and then uses different file names.
  • deep-green.exe: Removes VBS on “% PUBLIC% \ Music \”

On the compromised machine, a number of documents were opened from several locations before the VNC client installation to create confusion and increase the complexity. 

As doing so helps the threat actors to collect and exfiltrate sensitive information from the compromised system of their target. Moreover, the documents that are accessed by the threat actors range from job descriptions to sensitive information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a PKI Security Engineer. Certified Ethical Hacker, Penetration Tester, Security blogger, Co-Founder & Author of GBHackers On Security.

Leave a Reply