Symantec’s Menace Hunter group has not too long ago found a hacking group which is dubbed as Shuckworm that has its root hyperlinks with Russia utilizing weaponized phrase paperwork to contaminate their targets’ computer systems in Ukraine.
This Russian-linked hacking group, Shuckworm, has been energetic since 2013, and it’s primarily specialised in working cyber-espionage campaigns in opposition to the entities in Ukraine. Whereas this group has different names and right here they’re:-
The Shuckworm hacking group is believed to be working instantly from the Russian FSB (Federal Safety Service). The operators of Shuckworm use phishing emails to distribute the next issues:-
- Distant Manipulator System (RMS)
- Pterodo/Pteranodon (Custom-made malware)
Nevertheless, in latest instances this group has sophisticatedly developed all its TTPs and used them to steal their victims’ credentials and infect the community to maneuver laterally.
Recordsdata utilized by Shuckworm
The hackers noticed utilizing seven recordsdata of their latest assaults, and all seven recordsdata are 7-zip SFX self-extracting binaries. Listed below are recordsdata utilized by the hackers:-
- descend.exe: Runs to save lots of a VBS file to “% USERPROFILE% Downloads deerbrook.ppt” and “% PUBLIC% Photos deerbrook.ppt”
- deep-sunken.exe: Runs to drop 4 extra recordsdata on the compromised pc.
- z4z05jn4.egf.exe: Throws the recordsdata in numerous folders after which makes use of totally different file names.
- defiant.exe: Runs to save lots of VBS recordsdata to “% TEMP% deep-versed.nls” and “% PUBLIC Photos deep-versed.nls”
- deep-green.exe: UltraVNC distant administration software
- deep-green.exe: Course of Explorer is a freeware activity supervisor and system monitor for Microsoft Home windows.
- deep-green.exe: Throws the recordsdata in numerous folders after which makes use of totally different file names.
- deep-green.exe: Removes VBS on “% PUBLIC% Music ”
On the compromised machine, a variety of paperwork had been opened from a number of places earlier than the VNC consumer set up to create confusion and enhance the complexity.
As doing so helps the risk actors to gather and exfiltrate delicate info from the compromised system of their goal. Furthermore, the paperwork which might be accessed by the risk actors vary from job descriptions to delicate info.