Thursday, March 28, 2024

Shuckworm Group uses Weaponized Word Document to Infect Victims Computer

Symantec’s Threat Hunter team has recently discovered a hacking group which is dubbed as Shuckworm that has its root links with Russia using weaponized word documents to infect their targets’ computers in Ukraine.

This Russian-linked hacking group, Shuckworm, has been active since 2013, and it’s mainly specialized in operating cyber-espionage campaigns against the entities in Ukraine. While this group has other names and here they are:-

  • Gamaredon
  • Armageddon

The Shuckworm hacking group is believed to be operating directly from the Russian FSB (Federal Security Service). The operators of Shuckworm use phishing emails to distribute the following things:-

  • Remote Manipulator System (RMS)
  • UltraVNC
  • Pterodo/Pteranodon (Customized malware)

However, in recent times this group has sophisticatedly developed all its TTPs and used them to steal their victims’ credentials and infect the network to move laterally.

Files used by Shuckworm

The hackers spotted using seven files in their recent attacks, and all seven files are 7-zip SFX self-extracting binaries. Here are files used by the hackers:-

  • descend.exe: Runs to save a VBS file to “% USERPROFILE% \ Downloads \ deerbrook.ppt” and “% PUBLIC% \ Pictures \ deerbrook.ppt”
  • deep-sunken.exe: Runs to drop four more files on the compromised computer.
  • z4z05jn4.egf.exe: Throws the files in different folders and then uses different file names.
  • defiant.exe: Runs to save VBS files to “% TEMP% \\ deep-versed.nls” and “% PUBLIC \ Pictures \ deep-versed.nls”
  • deep-green.exe: UltraVNC remote management tool
  • deep-green.exe: Process Explorer is a freeware task manager and system monitor for Microsoft Windows.
  • deep-green.exe: Throws the files in different folders and then uses different file names.
  • deep-green.exe: Removes VBS on “% PUBLIC% \ Music \”

On the compromised machine, a number of documents were opened from several locations before the VNC client installation to create confusion and increase the complexity. 

As doing so helps the threat actors to collect and exfiltrate sensitive information from the compromised system of their target. Moreover, the documents that are accessed by the threat actors range from job descriptions to sensitive information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Website

Latest articles

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles