A cyberattack campaign conducted by the Russian state-sponsored threat group Gamaredon, known as Shuckworm, has targeted a Western country’s military mission in Ukraine. This attack took place between February and March, using trojanized removable drives to distribute a new variant of GammaSteel, an information-stealing malware. The attack was first identified through a new UserAssist key in the Windows registry of the infected systems.
Gamaredon’s intrusion involves two primary files: one for managing command-and-control activities and another for compromising additional removable drives with LNK files. The threat group employs a reconnaissance PowerShell script to gather screenshots and device information. Later, a PowerShell-based version of GammaSteel is used to exfiltrate various document types through PowerShell web requests. A new registry key is added for persistence.
Symantec researchers believe these attacks reflect Gamaredon’s efforts to improve its covert operations, despite being less complex compared to other Russian state-backed hacking entities. This campaign highlights Gamaredon’s persistence and adaptability in cyber warfare.
Moreover, the article mentions the resurfacing of the major cybercrime forum Cracked.io under a new domain after being shut down by Operation Talent, and the Paper Werewolf threat operation targeting Russian entities with the novel PowerModul backdoor.
In summary, the article underscores the ongoing cybersecurity threats from state-sponsored groups and cybercriminal forums, stressing the need for vigilant cyber defense mechanisms. These threats illustrate the evolving tactics of malicious actors in cyber espionage and disruption, emphasizing an increasing trend in cyber aggression and the necessity for advanced defensive capabilities.
