PowerShell USB Malware Employed by Russian Hackers for Backdoor Deployment

The state-sponsored hacking group known as Gamaredon (also referred to as Armageddon or Shuckworm) from Russia has intensified its targeting of critical organizations in Ukraine’s military and security intelligence sectors. They have employed an updated toolkit and new infection techniques.

Previously associated with the FSB, the Russian hackers had been observed using information-stealing malware against Ukrainian state organizations. They introduced new variants of their “Pteranodon” malware and utilized a default Word template hijacker for initiating fresh infections.

According to Symantec’s threat research team, a division of Broadcom, the threat actors have recently incorporated USB malware as a means to propagate within infected networks.

Another noteworthy aspect of Gamaredon’s latest campaign is their focus on targeting HR departments, which suggests potential spear-phishing attacks within compromised organizations.

Operations in 2023

Symantec’s analysts have reported a surge in Gamaredon’s activity between February and March 2023. The hackers maintained a presence on certain compromised machines until May 2023.

Gamaredon continues to rely on phishing emails as the initial point of compromise. Their targets primarily include government, military, security, and research organizations, with particular attention to their Human Resources departments.

Phishing emails carry attachments in formats such as RAR, DOCX, SFX, LNK, and HTA. If these attachments are opened, a PowerShell command is executed, downloading a ‘Pterodo’ payload from the attackers’ command-and-control (C2) server.

Symantec observed 25 variants of PowerShell scripts between January and April 2023. These scripts employed different levels of obfuscation and pointed to various Pterodo download IP addresses to evade static detection rules.

The PowerShell script copies itself to the infected machine and creates a shortcut file with an rtk.lnk extension. The generated LNK files have a wide range of names, including some designed to pique the victim’s curiosity, such as “weapons_list.rtf.lnk” or “compromising_evidence.rtf.lnk.”

When these files are launched, the PowerShell script enumerates all drives on the computer and replicates itself onto removable USB disks. This increases the likelihood of successful lateral movement within the compromised network.

Symantec’s analysts discovered a “foto.safe” file encoded in base64 within one of the machines compromised by Gamaredon this year. It is believed that the device became infected after an infected USB drive was connected to it. However, the initial infection source of the USB drive remains unclear.

“These USB drives are likely used by the attackers for lateral movement across victim networks and may be used to help the attackers reach air-gapped machines within targeted organizations,” Symantec cautioned.

Symantec anticipates that Gamaredon will maintain its focus on Ukraine, continuously updating its tools and refining attack tactics as it targets data relevant to Russia’s military operations.