The Russian-affiliated cyber-espionage group Gamaredon, also known as Shuckworm, has recently been implicated in a cyber attack targeting a Western military mission stationed in Ukraine. This operation aimed to deploy an updated variant of their known malware, GammaSteel, to exfiltrate sensitive information. The initial signs of this malicious activity were detected on February 26, 2025.
Infection Vector: Infected Removable Drives
Symantec’s Threat Hunter team identified that the attackers utilized an infected removable drive as the primary means of infiltrating the target network. The attack commenced with the creation of a Windows Registry value under the UserAssist key, followed by the execution of “mshta.exe” via “explorer.exe.” This initiated a multi-stage infection chain, leading to the deployment of two critical files:
- NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms: This file established communication with command-and-control (C2) servers by accessing specific URLs associated with legitimate services such as Teletype, Telegram, and Telegraph.
- NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms: Designed to infect removable and network drives, this file created shortcut files for each folder to execute the malicious “mshta.exe” command while concealing its presence.
Evolution of GammaSteel Malware
Following the initial compromise, the attackers executed scripts to contact C2 servers, exfiltrate system metadata, and retrieve additional payloads. This process culminated in the deployment of an enhanced version of the GammaSteel malware. The updated GammaSteel is an information stealer capable of:
- Capturing screenshots.
- Executing system reconnaissance commands.
- Identifying active security software.
- Enumerating files and directories, particularly in Desktop and Documents folders.
- Exfiltrating files based on specific extensions.
Tactical Shifts and Obfuscation Techniques
This campaign signifies a tactical shift for Gamaredon, showcasing increased sophistication through:
- Frequent code modifications.
- Enhanced obfuscation methods.
- Utilization of legitimate web services to reduce detection risks.
While Gamaredon may not exhibit the advanced capabilities of other Russian threat actors, its relentless focus on Ukrainian targets and continuous adaptation of techniques underscore its persistent threat in the cyber-espionage landscape.
Preventative Measures and Recommendations
To mitigate the risks posed by such sophisticated attacks, organizations, especially those operating in sensitive regions, should:
- Implement Robust Removable Media Policies: Restrict the use of external drives and enforce strict scanning protocols before any external media is connected to the network.
- Enhance Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of identifying and responding to anomalous behaviors indicative of multi-stage infection chains.
- Regular Security Training: Educate employees on the dangers of phishing attacks and the importance of cybersecurity hygiene, particularly concerning removable media.
- Network Segmentation: Isolate critical systems from general networks to limit lateral movement in case of a breach.
- Continuous Monitoring and Threat Intelligence: Stay updated with the latest threat intelligence to proactively defend against evolving tactics employed by groups like Gamaredon.
By adopting these measures, organizations can bolster their defenses against the persistent and evolving threats posed by cyber-espionage groups