Shuckworm Hack Group Targets Ukrainian Companies with Pterodo Backdoor

Symantec experts have reported that the Shuckworm hack group (also known as Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, Winterflounder, and so on) is attacking Ukrainian companies using the Pterodo backdoor distributed via USB drives. The main targets of the hackers are important organizations in the military and intelligence sectors.

Shuckworm Activity in 2023

According to experts, in some cases, the group managed to organize long-term attacks that lasted up to three months, which in the end could give attackers access to “significant amounts of confidential information.” Shuckworm activity in 2023 spiked between February and March 2023, and hackers continued to have a presence on some compromised machines until May 2023.

Phishing Emails and Malicious Attachments

To launch attacks, Shuckworm typically uses phishing emails containing malicious attachments disguised as .docx, .rar, .sfx, lnk, and hta files. Topics such as armed conflict, criminal prosecution, crime control, and child protection are often used as bait in emails to trick targets into opening the message itself and malicious attachments.
The new Shuckworm campaign debuted a new malware, which is a PowerShell script that distributes the Pterodo backdoor. The script is activated when infected USB drives are connected to the target computers. It first copies itself to the target machine to create an rtf.lnk shortcut file (video_porn.rtf.lnk, do_not_delete.rtf.lnk and evidence.rtf.lnk). Such names are an attempt to induce targets to open files so that Pterodo can infiltrate their machines.
The script then examines all drives connected to the target computer and copies itself to all attached removable drives for further lateral movement and in the hope of infiltrating isolated devices that are intentionally not connected to the internet to prevent them from being hacked.

Covering Their Tracks

To cover their tracks, Shuckworm created dozens of malware variants (more than 25 PowerShell scripts between January and April 2023) and is rapidly changing IP addresses and the infrastructure that is used for control and management. The group also uses legitimate services to manage, including Telegram and the Telegraph platform, to avoid detection.
The attacks by the Shuckworm hack group demonstrate the importance of cybersecurity measures for organizations in the military and intelligence sectors. It is essential to ensure that all systems are up to date and that all removable drives are scanned for malicious content before being connected to any computers. It is also important to educate employees about the dangers of phishing emails and malicious attachments. By taking the necessary steps to protect their systems, organizations can reduce the risk of becoming victims of cyberattacks.