Background
This is a continuation of our coverage of cyberattacks targeting Ukrainian entities. Earlier this year, we published a blog post describing Armageddon activity targeting Ukraine and details on their infrastructure, as reported by Palo Alto’s Unit 42. Symantec recently reported on yet another wave of Armageddon attacks, leveraging new Pterodo variants to target Ukrainian assets.
What is Pterodo?
Pterodo, also known as Pteranodon, is a backdoor RAT. Armageddon is currently using at least four distinct variants of Pterodo. The four variants analyzed all used Visual Basic Script (VBS) droppers, dropped a VBScripts file, used Scheduled Tasks to ensure persistence, and downloaded code from a C2. Additionally, all four used similar obfuscation methods. Although the variants operate similarly to one another, each communicates with a different C2. Symantec assessed the threat actors likely use multiple variants to help maintain persistence by providing a fallback C2. The variants are referred to as Backdoor.Pterodo.B, Backdoor.Pterodo.C, Backdoor.Pterodo.D, and Backdoor.Pterodo.E.
Backdoor.Pterodo.B is a modified self extracting archive unpacked using 7-Zip. It contains obfuscated VBScripts, which it adds as scheduled tasks to maintain persistence. The script also copies itself to the [USERPROFILE]\ntusers.ini file. It creates two new obfuscated VBScripts. One of the VBSCripts gathers system information and sends it to the C2, while the other copies a previously dropped ntusers.ini file to another desktop.ini file.
Backdoor.Pterodo.C also drops VBScripts on the victim machine but uses API hammering, making multiple meaningless API calls, in an attempt to evade sandbox detection. The malware unpacks a script and the file offspring.gif to C:\Users\[username]\. The variant then calls the script, which in turn runs ipconfig /flushdns and executes the offspring.gif file. Offsprint.gif downloads and executes a PowerShell script from a random subdomain of corolain[.]ru.
Backdoor.Pterodo.D is yet another VBScript dropper. It creates and executes two files. One script runs ipconfig /flushdns then calls the second script and removes the original executable. The second script , which has two layers of obfuscation, downloads and executes the final payload from declined.delivered.maizuko[.]ru.
Backdoor.Pterodo.E operates similarly to variants B and C and uses script obfuscation similar to the other variants. This variant engages in API hammering then extracts two VBScript files to the victim’s home directory.
Who is Armageddon?
Armageddon, also known as Gameredon, Shuckworm, or Primitive Bear, is currently one of the most active APT groups targeting Ukrainian assets. The group’s activity has traditionally involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated Armageddon has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Armageddon does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some of the other tools and TTPs used by Armageddon include spearphishing, PowerShell, UltraVNC, FileStealer, and EvilGnome.
IOCs
PolySwarm has multiple samples associated with Pterodo.
119f9f69e6fa1f02c1940d1d222ecf67d739c7d240b5ac8d7ec862998fee064d
Background
ESET recently reported on Industroyer2, a multi-component ICS malware used to target a Ukrainian energy company.
PolySwarm Threat Bulletin
THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS
Background
This report is part of our ongoing coverage of the Russia-Ukraine conflict and cyber implications.
PolySwarm recently released the following publications and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict:
PolySwarm Threat Bulletin
THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS
Background
PolySwarm recently released several publications and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict:
THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS
Background
PolySwarm recently published a Special Report, Threat Bulletin, and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict. In Russia-Ukraine Conflict and Cyberwar Implications, we discussed political tensions between Russia and Ukraine, past cyber altercations between the two nations, and potential cyber and kinetic implications if the current conflict escalates. In Armageddon Activity Targeting Ukraine, we provided commentary and IOCs for ongoing cyber activity targeting Ukraine, which industry analysts attributed to the Russian state-sponsored threat actor group Armageddon.
Background
Last week we released a report and blog post on the Russia-Ukraine conflict, past cyber altercations between the two nations, and potential cyber implications if the current conflict escalates. In our report, we mentioned historical activity perpetrated by the threat actor group Armageddon. Palo Alto’s Unit 42 recently reported ongoing activity targeting Ukraine, which they attributed to Armageddon, also known in the industry as Gameredon or Primitive Bear. While Unit 42 did not elaborate on the magnitude or implications of these attacks, they did provide a breakdown of Armageddon’s infrastructure.
Overview
- Ongoing political tensions between Russia and Ukraine are at a breaking point, with the US and other NATO nations preparing to assist Ukraine if a military conflict arises.
- Russia and Ukraine have a long history of state-sponsored cyber conflicts, including both espionage and disruptive attacks.
- Recent cyber activity targeting Ukraine includes multiple government website defacements and WhisperGate, a wiper malware disguised as ransomware. IOCs for PolySwarm’s samples of WhisperGate are provided.
- Hacktivists recently attacked Belarus Railway to protest Russian troop transport and demand the release of “political prisoners.” This incident marked the first time hacktivists have leveraged ransomware in pursuit of political objectives.
- The cyber struggle between Russia and Ukraine has the potential to spill over and have a real-world kinetic impact. Our analysts provide a list of implications.