A Russian-linked threat group that has almost exclusively targeted Ukraine since it first appeared on the scene in 2014 is deploying multiple variants of its malware payload on systems within the country.
The Shuckworm gang – also known as Armageddon and Gamaredon – is using at least four distinct variants of its Pterodo backdoor that are designed to perform similar tasks but communicate with different command-and-control (C2) servers, according to Symantec’s Threat Hunter Team.
“The most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer,” the researchers wrote in a blog post Wednesday. “If one payload or [C2] server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate.”
Shuckworm’s attacks are part of an ongoing campaign by Russian state-sponsored threat groups that escalated their efforts in the run-up to the invasion of Ukraine in late February, and have continue their attacks since. The active cyberwarfare that has paralleled Russia’s military attack has worried Western agencies that it could spill over to companies in the US and elsewhere, either incidentally via third parties or directly due to the harsh sanctions imposed on Russia.
In Shuckworm’s case, the gang has been active for years. The Security Service of Ukraine (SSU) last year said the group was responsible for more than 5,000 attacks against public agencies or critical infrastructure and linked Shuckworm to the FSB, Russia’s security service and successor to the KGB. The SSU said the group targeted more than 1,500 government computer systems over seven years.
“These attacks [in Ukraine] have continued unabated since the Russian invasion of the country,” the Symantec researchers wrote. “While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region.”
They noted that Shuckworm seems mostly focused on espionage and intelligence gathering but said the attacks could be a precursor to more serious incidents if the group turns over the access it gets to Ukrainian organizations to other Russian-sponsored threat actors.
The four observed variants of the custom Pterodo malware – which also is known as Pteranodon – all use Visual Basic Script (VBS) droppers with similar functions. They drop a VBScripts file, use Scheduled Tasks (shtasks.exe) to ensure persistence, and download code from a C2 server.
“All of the embedded VBScripts were very similar to one another and used similar obfuscation techniques,” Symantec’s researchers wrote.
Shuckworm relies heavily on phishing emails to lure targeted users into unwittingly executing the malicious code. The Pterodo.B variant is a modified self-extracting archive that includes obfuscated VBScripts in resources that are unpacked by 7-Zip, an open-source file archiver. The variant is designed to gather information like the serial number of the C drive – which is sent to the C2 server – and ensure persistence.
Pterodo.C also drops VBScripts on a targeted computer but will first make multiple and meaningless API calls to make sure it’s not running in a sandbox. It uses a PowerShell script from a random domain. Pterodo.D is another VBScript dropper that creates and executes two files, with the second script using two layers of obfuscation.
Pterodo.E “is functionally very similar to variants B and C, engaging in API hammering before extracting two VBScripts to the user’s home directory,” the researchers wrote. “Script obfuscation is very similar to other variants.”
Along with the Pterodo backdoor, Shuckworm uses other tools alongside, including UltraVNC, an open-source remote administration and remote desktop software utility that has been used by the gang in previous attacks, and Process Explorer, a tool with Microsoft’s Sysinternals for managing handles and DLL processes.
“While Shuckworm is not the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukraine organizations,” the researchers wrote. “It appears that Pterodo is being continuously redeveloped by attackers in a bid to stay head of detection.” ®