Russian hackers use new Pteredo backdoor variants in attacks against Ukraine

Threat analysts report that the Russian state-sponsored threat group known as Gamaredon (a.k.a. Armageddon/Shuckworm) is launching attacks against targets in Ukraine using new variants of the custom Pteredo backdoor.

Gamaredon has been launching cyber-espionage campaigns targeting the Ukrainian government and other critical entities since at least 2014.

The actor is known for its strong focus on Ukraine, being attributed over 5,000 cyberattacks against 1,500 public and private entities in the country.

According to a report by Symantec, who tracks the group as Shuckworm, the actor is currently using at least four variants of the “Pteredo” malware, also tracked as Pteranodon

The backdoor's root are in Russian hacker forums from 2016 from where Shuckworm took it and started to develop it privately with specialized DLL modules and features for stealing data, remote access, and analysis evasion.

Recent activity

Symantec’s analysts report that all the different payloads deployed against Ukrainian targets recently performed similar tasks, but each communicates with a different command and control server (C2) server address.

This indicates that the threat actor is using multiple different payloads that are slightly different from one another to achieve redundancy and establish persistence that is resistant to malware cleaning actions.

Scheduled task added for persistence
Scheduled task added for persistence (Symantec)

In all four observed variants, the threat actors use obfuscated VBS droppers that add Scheduled Tasks and then fetch additional modules from the C2.

  • Pteredo.B – Modified self-extracting 7-Zip archive containing multiple VBScripts that focus on data collection and persistence establishment.
  • Pteredo.C – VBScript-ridden variant that launches with an API hammering process to ensure it’s not running in an analyst’s sandbox. Relies on fetching PowerShell scripts from external sources and executing them.
PowerShell used by Pteredo.C
PowerShell used by Pteredo.C (Symantec)
  • Pteredo.D – Another obfuscated VBScript dropper that flushes DNS before it fetches payloads, executes commands, and wipes traces of early infection stages.
  • Pteredo.E – Another variant featuring a mix of the features of the previous three, such as heavy obfuscation and API hammering.

Other tools employed and abused in recent Shuckworm attacks include the UltraVNC remote access tool, and the Microsoft Process Explorer for handling the DLL module processes.

Similarities to January campaign

By looking into Shuckworm's activity against Ukrainian targets from January 2022, it is easy to conclude that the tactics of the threat group haven't shifted significantly.

In those previous attacks, Pteredo backdoor variants were dropped using VBS files hiding inside DOC file attachments on spear-phishing emails.

The 7-Zip self-extracting binaries that minimize user interaction were also used in January, while UltraVNC and Process Explorer abuse was also spotted.

While Shuckworm/Gamaredon is a rather sophisticated group, its toolset and infection tactics have not improved in recent months, allowing for easier detection and simpler defense tactics.

Pteredo backdoor is still under active development, though, and the threat group could work at an overhauled and much more potent or stealthy version of the malware, as well as modify their attack chain.

Related Articles:

Ukraine claims it hacked Russian Ministry of Defense servers

US sanctions crypto exchanges used by Russian darknet market, banks

Microsoft to shut down 50 cloud services for Russian businesses

Russian hackers target German political parties with WineLoader malware

Ukraine arrests hackers trying to sell 100 million stolen accounts