The Russia-linked menace actor often called Gamaredon (aka Shuckworm) has been attributed to a cyber assault concentrating on a international navy mission based mostly in Ukraine with an goal to ship an up to date model of a identified malware referred to as GammaSteel.
The group focused the navy mission of a Western nation, per the Symantec Menace Hunter workforce, with first indicators of the malicious exercise detected on February 26, 2025.
“The preliminary an infection vector utilized by the attackers seems to have been an contaminated detachable drive,” the Broadcom-owned menace intelligence division said in a report shared with The Hacker Information.
The assault began with the creation of a Home windows Registry worth below the UserAssist key, adopted by launching “mshta.exe” utilizing “explorer.exe” to provoke a multi-stage an infection chain and launch two recordsdata.
The primary file, named “NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms,” is used to ascertain communications with a command-and-control (C2) server that is obtained by reaching out to particular URLs related to authentic providers like Teletype, Telegram, and Telegraph, amongst others.
The second file in query, “NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms,” is designed to contaminate any detachable drives and community drives by creating shortcut recordsdata for each folder to execute the malicious “mshta.exe” command and conceal it.
Subsequently on March 1, 2025, the script was executed to contact a C2 server, exfiltrate system metadata, and obtain, in return, a Base64-encoded payload, which is then used to run a PowerShell command engineered to obtain an obfuscated new model of the identical script.
The script, for its half, connects to a hard-coded C2 server to fetch two extra PowerShell scripts, the primary of which is a reconnaissance utility able to capturing screenshots, run systeminfo command, get particulars of safety software program operating on the host, enumerate recordsdata and folders in Desktop, and record operating processes.
The second PowerShell script is an improved model of GammaSteel, a identified data stealer that is able to exfiltrating recordsdata from a sufferer based mostly on an extension allowlist from the Desktop and Paperwork folders.
“This assault does mark one thing of a rise in sophistication for Shuckworm, which seems to be much less expert than different Russian actors, although it compensates for this with its relentless focus on targets in Ukraine,” Symantec stated.
“Whereas the group doesn’t seem to have entry to the identical talent set as another Russian teams, Shuckworm does now seem like making an attempt to compensate for this by frequently making minor modifications to the code it makes use of, including obfuscation, and leveraging authentic net providers, all to attempt decrease the danger of detection.”
Source link