Hackers allegedly supported by the Russian government, again attacked several institutions in Ukraine and carried out information theft by placing malware as an espionage operation.
Symantec is a security firm that released several names of malware used by these hackers. The malware includes Shuckworm, which other security vendors call Actinium, Armageddon, Gamaredon, PrimitiveBear and Trident Ursa.
According to Symantec, these hackers have been active since 2013 and are indeed a syndicate for theft of public and private information in Ukraine. The intensity of this theft increased with the Russian military invasion of Ukraine in early 2022 yesterday.
The findings follow an alert from CERT-UA, which cautioned of "systematic, massive and geographically dispersed" phishing attacks involving the use of a .NET downloader called RelicRace to execute payloads such as Formbook and Snake Keylogger.
The latest set of attacks are said to have commenced on July 15, 2022, and ongoing as recently as August 8, with the infection chains leveraging phishing emails disguised as newsletters and combat orders, ultimately leading to the deployment of a PowerShell stealer malware dubbed GammaLoad .PS1_v2.
Also delivered to the compromised machines are two backdoors named Giddome and Pterodo, both of which are trademark Shuckworm tools that have been continually redeveloped by the attackers in a bid to stay ahead of detection.
Post a Comment