Ethical Hacking News
Gamaredon's use of infected removable drives to breach a Western military mission in Ukraine underscores the sophistication and adaptability of Russian-linked threat actors. The attack highlights a concerning trend in cyber espionage and emphasizes the importance of robust cybersecurity measures.
Gamaredon (Shuckworm) has been linked to a highly sophisticated cyber attack targeting a Ukrainian military mission.The initial infection vector used was an infected removable drive, which served as the primary entry point for the malware.The attackers created a Windows Registry value and launched a multi-stage infection chain using files that established communication with a command-and-control (C2) server.The C2 server obtained credentials by reaching out to legitimate services like Teletype, Telegram, and Telegraph.The malware exfiltrated system metadata, ran PowerShell commands, and engineered the download of an obfuscated new version of the script.The use of this malware marked an increase in sophistication for the group, with a focus on targeting Ukraine.Gamaredon's approach involves making minor modifications to its code, adding obfuscation, and leveraging legitimate web services to lower detection risk.
Gamaredon, a Russia-linked threat actor known by its alias Shuckworm, has been implicated in a highly sophisticated cyber attack targeting a foreign military mission based in Ukraine. According to the Broadcom-owned threat intelligence division Symantec, the initial infection vector used by the attackers was an infected removable drive, which served as the primary entry point for the malware.
The attack began with the creation of a Windows Registry value under the UserAssist key, followed by launching "mshta.exe" using "explorer.exe" to initiate a multi-stage infection chain. This chain involved launching two files: one named "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," and another called "NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms." The former was used to establish communications with a command-and-control (C2) server that obtained its credentials by reaching out to specific URLs associated with legitimate services like Teletype, Telegram, and Telegraph.
The latter file, on the other hand, was designed to infect any removable drives and network drives by creating shortcut files for every folder that would execute the malicious "mshta.exe" command and hide it. Following this, on March 1, 2025, the script was executed, which contacted a C2 server, exfiltrated system metadata, and received a Base64-encoded payload in return.
This payload was then used to run a PowerShell command that engineered the download of an obfuscated new version of the same script. The script itself connected to a hard-coded C2 server to fetch two more PowerShell scripts — one acting as a reconnaissance utility capable of capturing screenshots, running systeminfo commands, getting details on security software running on the host, enumerating files and folders in the Desktop, and listing running processes.
The second PowerShell script was an improved version of GammaSteel, a known information stealer that could exfiltrate files from a victim based on an extension allowlist from the Desktop and Documents folders. The use of this malware by Shuckworm marked an increase in sophistication for the group, with its relentless focus on targets in Ukraine.
Symantec noted that while Gamaredon does not possess the same skill set as other Russian groups, it makes up for this by continually making minor modifications to its code, adding obfuscation, and leveraging legitimate web services. This approach is aimed at lowering the risk of detection.
The attack highlights a concerning trend in cyber espionage, with Ukraine emerging as a hotbed for malicious activities attributed to Russia-linked threat actors. The sophisticated tactics employed by Shuckworm underscore the evolving nature of cyber threats, underscoring the need for robust cybersecurity measures and enhanced vigilance among organizations operating globally.
Related Information:
https://www.ethicalhackingnews.com/articles/Gamaredons-Sophisticated-Malware-Attack-on-Western-Military-Mission-Exposes-Ukraine-as-a-Hotbed-for-Cyber-Espionage-ehn.shtml
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html
https://attack.mitre.org/groups/G0047/
https://thehackernews.com/2023/02/new-russian-backed-gamaredons-spyware.html
Published: Thu Apr 10 07:57:56 2025 by llama3.2 3B Q4_K_M
