Russian Gamaredon APT continues to target Ukraine

Pierluigi Paganini April 20, 2022

Russia-linked threat actor Gamaredon targets Ukraine with new variants of the custom Pterodo backdoor.

Russia-linked Gamaredon APT group (a.k.a. Armageddon, Primitive Bear, and ACTINIUM) continues to target Ukraine and it is using new variants of the custom Pterodo backdoor (aka Pteranodon).

The cyberespionage group is behind a recent series of spear-phishing attacks targeting Ukrainian entities and organizations related to Ukrainian affairs, since October 2021, Microsoft said.

Gamaredon has been launching cyber-espionage campaigns on Ukraine since at least 2014.

Researchers from Symantec revealed that the APT group is using at least four variants of the custom Pteredo backdoor in recent attacks.

Pteranodon is a multistage backdoor designed to collect sensitive information or maintain access to compromised machines. It is distributed through spear-phishing messages with weaponized office documents that appear to be designed to lure targets. 

Recent attacks attributed to Gamaredon were characterized by the deployment of multiple malware payloads on the targeted systems. The payloads delivered by the threat actors are usually different variants of the Backdoor.Pterodo that have been designed to perform similar tasks. The researchers pointed out that each variant will communicate with a different command-and-control (C&C) server.

“The most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer. If one payload or C&C server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate.” reads the analysis published by Symantec.

The attackers are using multiple different payloads to establish persistence on the infected systems and to be resilient to takedown operations conducted by security firms and government experts.

The Pterodo variant employed in the attacks is a modified self-extracting archive, which contains obfuscated VBScripts that act as a dropper.

The backdoor achieves persistence by adding a scheduled task before downloading additional payloads from a C&C server.

Below the four variants of the Gamaredon’s backdoor analyzed by the experts:

  • Backdoor.Pterodo.B – This variant is a modified self-extracting archive, containing obfuscated VBScripts in resources that can be unpacked by 7-Zip.
  • Backdoor.Pterodo.C – This variant is also designed to drop VBScripts on the infected computer.  When run, it will first engage in API hammering, making multiple meaningless API calls, which is presumably an attempt to avoid sandbox detection.
  • Backdoor.Pterodo.D is another VBScript dropper.
  • Backdoor.Pterodo.E – The final variant is functionally very similar to variants B and C, engaging in API hammering before extracting two VBScript files to the user’s home directory. Script obfuscation is very similar to other variants.

The nation-state hackers also used other tools such as the UltraVNC remote-administration/remote-desktop-software utility. The Gamaredon APT was also observed using the popular Microsoft Sysinternals Process Explorer tool.

“While Shuckworm is not the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. It appears that Pterodo is being continuously redeveloped by the attackers in a bid to stay ahead of detection.” concludes the report that also contains indicators of compromise (IoCs) for this campaign.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment