Wednesday, May 1, 2024

Shuckworm Group uses Weaponized Word Document to Infect Victims Computer

By Guru baran

Symantec’s Threat Hunter team has recently discovered a hacking group which is dubbed as Shuckworm that has its root links with Russia using weaponized word documents to infect their targets’ computers in Ukraine.

This Russian-linked hacking group, Shuckworm, has been active since 2013, and it’s mainly specialized in operating cyber-espionage campaigns against the entities in Ukraine. While this group has other names and here they are:-

  • Gamaredon
  • Armageddon

The Shuckworm hacking group is believed to be operating directly from the Russian FSB (Federal Security Service). The operators of Shuckworm use phishing emails to distribute the following things:-

  • Remote Manipulator System (RMS)
  • UltraVNC
  • Pterodo/Pteranodon (Customized malware)

However, in recent times this group has sophisticatedly developed all its TTPs and used them to steal their victims’ credentials and infect the network to move laterally.

Files used by Shuckworm

The hackers spotted using seven files in their recent attacks, and all seven files are 7-zip SFX self-extracting binaries. Here are files used by the hackers:-

  • descend.exe: Runs to save a VBS file to “% USERPROFILE% \ Downloads \ deerbrook.ppt” and “% PUBLIC% \ Pictures \ deerbrook.ppt”
  • deep-sunken.exe: Runs to drop four more files on the compromised computer.
  • z4z05jn4.egf.exe: Throws the files in different folders and then uses different file names.
  • defiant.exe: Runs to save VBS files to “% TEMP% \\ deep-versed.nls” and “% PUBLIC \ Pictures \ deep-versed.nls”
  • deep-green.exe: UltraVNC remote management tool
  • deep-green.exe: Process Explorer is a freeware task manager and system monitor for Microsoft Windows.
  • deep-green.exe: Throws the files in different folders and then uses different file names.
  • deep-green.exe: Removes VBS on “% PUBLIC% \ Music \”

On the compromised machine, a number of documents were opened from several locations before the VNC client installation to create confusion and increase the complexity. 

As doing so helps the threat actors to collect and exfiltrate sensitive information from the compromised system of their target. Moreover, the documents that are accessed by the threat actors range from job descriptions to sensitive information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Managed WAF Protection

Website

Latest articles

Chrome

Google Guide! How to Detect Browser Data Theft Using Windows Event Logs

In the ever-evolving cybersecurity landscape, Google is continually striving to protect user data from...
cyber security

Millions of Malicious “Imageless” Docker Hub Repositories Drop Malware

In a startling revelation, nearly 20% of Docker Hub repositories have been identified as...
Cloud

Attackers Leverage Sidecar Container Injection Technique To Stay Stealthy

Kubernetes (K8s) is an open-source container orchestration platform designed to automate application container deployment,...
Cyber Security News

How to Utilize Azure Logs to Identify Threats: Insights From Microsoft

Microsoft's Azure platform is a highly acclaimed and widely recognized solution that organizations worldwide...
cyber security

Redline Malware Using Lua Bytecode to Challenge the SOC/TI Team to Detect

The first instance of Redline using such a method is in a new variant...
cyber security

Threat Actor Claims Selling of Dell Database with 49M User Records

A threat actor reportedly sells a database containing 49 million user records from Dell,...
Android

Google Blocks 2.28M Malicious Apps Entering The Play Store

A safe and trusted Google Play experience is our top priority.We leverage our...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]