Russian Hackers Continues Attack on Ukraine Using New Malware Variant
The Russian group Gamaredon, also known as Shuckworm, has continued launching attacks against Ukraine. Threat analysts report that the advanced threat group is using a new variant of malware to attack critical Ukrainian infrastructure.
Pedero backdoors have been a signature malware of the APT group during their various campaigns. This time, Symantec warns that new variants of the malware have been discovered and deployed to various networks. The new version of the malicious tool works like the original but is considered even more dangerous.
More on the Russian Hackers
The group, which has been active since 2013 and has been relentlessly targeting the Ukrainian government and has been conducting cyber-espionage campaigns against organizations in Ukraine.
The group has long focused their activities on Ukraine and has launched over 5,000 attacks on Ukraine. They execute phishing emails and make them look very legitimate by using various engineering techniques and also weaponizing tools and applications to conduct more harmful attacks and collect information about their targets.
The pteredo backdoor remains the most effective as each of the payloads will communicate with a command and control(C&C) server and if a server or payload is detected and blocked, the threat actors can fall back on one of the others and deploy more variants as compensation.
Four Variants of Pteredo Backdoor
The first version known as Pteredo.B is a modified self extracting archive, that uses 7-Zip to unpack obfuscated VBScripts and then adds them as scheduled tasks to maintain persistence.
Pteredo.C is a variant that unpacks and drops VBS on infected computers by first engaging in API hammering and making API calls to avoid sandbox detection. Pteredo.D is another VBScript dropper. It creates two files and executes commands on them.
The final version Pteredo.E is very similar to variants B and C by also engaging in API hammering and extracting the VBScript files to the user’s home directory.