Insights, news, education and announcements from PolySwarm

Armageddon Leverages New Pterodo Variants

Written by PolySwarm Tech Team | Apr 29, 2022 6:37:13 PM



Background

This is a continuation of our coverage of cyberattacks targeting Ukrainian entities. Earlier this year, we published a blog post describing Armageddon activity targeting Ukraine and details on their infrastructure, as reported by Palo Alto’s Unit 42. Symantec recently reported on yet another wave of Armageddon attacks, leveraging new Pterodo variants to target Ukrainian assets.

What is Pterodo?

Pterodo, also known as Pteranodon, is a backdoor RAT. Armageddon is currently using at least four distinct variants of Pterodo. The four variants analyzed all used Visual Basic Script (VBS) droppers, dropped a VBScripts file, used Scheduled Tasks to ensure persistence, and downloaded code from a C2. Additionally, all four used similar obfuscation methods. Although the variants operate similarly to one another, each communicates with a different C2. Symantec assessed the threat actors likely use multiple variants to help maintain persistence by providing a fallback C2. The variants are referred to as Backdoor.Pterodo.B, Backdoor.Pterodo.C, Backdoor.Pterodo.D, and Backdoor.Pterodo.E.


Backdoor.Pterodo.B is a modified self extracting archive unpacked using 7-Zip. It contains obfuscated VBScripts, which it adds as scheduled tasks to maintain persistence. The script also copies itself to the [USERPROFILE]\ntusers.ini file. It creates two new obfuscated VBScripts. One of the VBSCripts gathers system information and sends it to the C2, while the other copies a previously dropped ntusers.ini file to another desktop.ini file.

Backdoor.Pterodo.C also drops VBScripts on the victim machine but uses API hammering, making multiple meaningless API calls, in an attempt to evade sandbox detection. The malware unpacks a script and the file offspring.gif to C:\Users\[username]\. The variant then calls the script, which in turn runs ipconfig /flushdns and executes the offspring.gif file. Offsprint.gif downloads and executes a PowerShell script from a random subdomain of corolain[.]ru.

Backdoor.Pterodo.D is yet another VBScript dropper. It creates and executes two files. One script runs ipconfig /flushdns then calls the second script and removes the original executable. The second script , which has two layers of obfuscation, downloads and executes the final payload from declined.delivered.maizuko[.]ru.

Backdoor.Pterodo.E operates similarly to variants B and C and uses script obfuscation similar to the other variants. This variant engages in API hammering then extracts two VBScript files to the victim’s home directory.

Who is Armageddon?

Armageddon, also known as Gameredon, Shuckworm, or Primitive Bear, is currently one of the most active APT groups targeting Ukrainian assets. The group’s activity has traditionally involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated Armageddon has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Armageddon does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some of the other tools and TTPs used by Armageddon include spearphishing, PowerShell, UltraVNC, FileStealer, and EvilGnome.


IOCs

PolySwarm has multiple samples associated with Pterodo.

119f9f69e6fa1f02c1940d1d222ecf67d739c7d240b5ac8d7ec862998fee064d

8a9f45e819513fd02aa0521aea3a0d85490c91523227b130d7ff08d12b8820ae

363afd6b616d4a4da609edb6a5a5989247ab6db43e07893da5d684e3f71ff2cd

002d4699c82692c0b9c434f7753e4f8b3ddee6c3dcc7e641a63aace4e0342684

152cd00a463299b1ac7e7f98459640d7bad7cc255bbc29e464dcac28c43ef29a

995d83a074ae7b3acc1405aad747ecb6a137de006c71a0732522afe8daf9c9bd

3c3b31b4b12f4474d9f3ca0e6eadcf963abd261a2ac90bfa7717446b1f2ea7dc

9cf053f55bf194c3250371698c9aa14fbcd27a360555275f14eb8d67cf0592e8

2c583a8e4d5233f8e2a4b0c20bae693593697853171cacfd191c23e9e273e91e

Df165a241a1db2db67986aefdb5fed5bfc91d4f08042d2472c4b1eb8aa6d00f9

0e7d9ab3a9b4b0351fe8eaff0693a07f0671efa22f41eb4467632372eff6c007

A570510c0fa4782cf735509a367ab108f757f6d50f8a7178e8a660153691beca

Ef488db6f587d095c41ba61d40b2516f546d1f51c5574ace11b04720ff116857

Efb7824e2a80568ba3bd62b7a3e5e98e1c6bd5c0c63b352a32dbaa9807cc6290

d52a67fd671cebf180ef20a5cc42ec07b119cb1bf0dd049d9e0c784a04ea4491

You can use the following CLI command to search for all Pterodo samples in our portal:

$ polyswarm link list -f Pterodo


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports