Home SECURITY Drives are the new weapon of Shuckworm hackers

Drives are the new weapon of Shuckworm hackers

Drives are the new weapon of Shuckworm hackers


The group uses infected USB drives to infiltrate corporate networks.

Cybersecurity experts at Symantec found evidence attempted attacks by the hacker group Shuckworm (also known as Gamaredon or Armageddon) against several organizations in Ukraine.

Shuckworm has been active since 2013 and uses phishing emails to distribute its own malware called Pterodo as well as other remote access tools. The group is aimed solely at obtaining information in the field of military and government activities.

According to Symantec, in February 2021, Shuckworm began using new malware in the form of a PowerShell script that Pterodo distributes via infected USB drives. The script is activated when such drives are connected to target computers. The script copies itself to the computer and creates an rtf.lnk shortcut that launches Pterodo on the machine. The files are named like video_porn.rtf.lnk, do_not_delete.rtf.lnk and evidence.rtf.lnk. This is an attempt to force the victims to open the files and install Pterodo.

The script also scans all drives connected to the computer and copies itself to all removable media, probably in the hope of infecting any isolated devices that are not connected to the Internet for security reasons. To mask its activities, Shuckworm creates dozens of variations of its software and quickly changes IP addresses and the infrastructure it uses to manage and control. The group also uses legitimate services such as Telegram and the Telegraph microblogging platform for command and control in another attempt to evade detection.

Shuckworm uses phishing emails to distribute either freely available remote access tools such as Remote Manipulator System (RMS) and UltraVNC, or specialized malware called Pterodo/Pteranodon. The group also uses living-off-the-land tools to steal credentials and navigate victims’ networks.


Source link



Please enter your comment!
Please enter your name here