The Russia-linked cyber threat group known as Gamaredon, also referred to as Shuckworm, has been linked to a cyber attack targeting a foreign
military mission in Ukraine, aiming to deploy an updated version of the known malware, GammaSteel. The attack was first detected by Symantec's Threat Hunter team on February 26, 2025, with initial signs indicating that an infected removable drive was likely used as the infection vector.
The attackers started the operation by creating a Windows Registry value under the UserAssist key, followed by the execution of "mshta.exe" through "explorer.exe" to initiate a multi-stage infection chain. This led to the launch of two files: the first file, "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms,"established communication with a command-and-control (C2) server, connecting to URLs associated with legitimate services like Teletype, Telegram, and Telegraph. The second file, "NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms," was designed to infect removable and network drives by creating shortcut files in every folder to execute the malicious "mshta.exe" command and conceal it.
By March 1, 2025, the script contacted the C2 server, exfiltrated system metadata, and received a Base64-encoded payload. This payload was then used to execute a PowerShell command, which downloaded an obfuscated new version of the same script. The script, in turn, fetched two additional PowerShell scripts from a hard-coded C2 server. The first script acted as a reconnaissance utility, capable of taking screenshots, running system information commands, identifying security software, and enumerating files and folders in the Desktop and Documents directories. The second PowerShell script delivered an upgraded version of GammaSteel, an information-stealing malware capable of exfiltrating files from victim machines, focusing on files with specific extensions in the Desktop and Documents folders.
Symantec noted that while Shuckworm may not possess the same technical capabilities as other Russian threat groups, it compensates for this with its persistence and focus on Ukrainian targets. The group has demonstrated an increasing level of sophistication by continuously modifying its code, adding obfuscation techniques, and leveraging legitimate web services to evade detection. This attack represents a notable shift in the group's tactics and highlights the ongoing threat posed by Shuckworm.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
