The Russian-related threat actor, known as Gammerderson (aka Shuckworm), is attributed to a cyber attack targeting foreign military missions based in Ukraine, with the aim of providing an updated version of the known malware called Gammasteel.
The group targeted military missions in the Western country, according to the Symantec Threat Hunter team, along with the first indication of malicious activity detected on February 26, 2025.
“It appears that the first infection vector used by the attacker was an infected removable drive,” the threat intelligence division owned by Broadcom said in a report shared with Hacker News.
The attack started with creating a Windows registry value under the user assist key, then launched “Mshta.exe” using “Explorer.exe” to start a multistage infection chain, launching two files.
The first file named “ntuser.dat.tmcontainer0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
The second file in question, “ntuser.dat.tmcontainer00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Then, on March 1, 2025, the script runs to contact the C2 server, removes system metadata, and receives a Base64-encoded payload in return. This is used to run PowerShell commands designed to download new obfuscated versions of the same script.
This script connects to a hardcoded C2 server and gets two more PowerShell scripts. The first is a reconnaissance utility that can capture screenshots, run the SystemINFO command, get details of the security software running on the host, enumerate files and folders on the desktop, and a wrist-running process.
The second PowerShell script is an improved version of Gammasteel, a known information sturler that can remove files from victims based on extension lists from desktop and document folders.
“This attack marks something like an increase in the refinement of Shuckworm, who appears to be less skilled than other Russian actors, but compensates for this by mercilessly focusing on Ukrainian targets,” Symantec says.
“While the group doesn’t appear to have access to the same skill set as other Russian groups, it appears Shuckworm is trying to compensate for this by continuously changing the code it uses, adding obfuscation, and leveraging legitimate web services to reduce the risk of detection.”
Source link
