A sophisticated Russian advanced persistent threat has launched a targeted PowerShell attack campaign against the Ukrainian military.
The attack is most likely perpetrated by malicious threat actors related to Shuckworm, a group with a history of campaigns against Ukraine, motivated by geopolitical, espionage, and disruption interests.
The malicious campaign, tracked by Securonix under the name STEADY#URSA, employs a newly discovered SUBTLE-PAWS PowerShell-based backdoor to infiltrate and compromise targeted systems.
This type of backdoor allows threat actors to gain unauthorized access, execute commands, and maintain persistence within compromised systems.
The attack methodology involves the distribution of a malicious payload through compressed files delivered via phishing emails.
Distribution and lateral movement of the malware is carried out through USB drives, thus removing the need to access the network directly.
The report noted that type of approach would be made difficult due to Ukraine's air-gapped communications like Starlink.
The campaign exhibits similarities with the Shuckworm malware, and it incorporates distinct tactics, techniques, and procedures observed in previous cyber campaigns against the Ukrainian military.
It also employs additional layers of obfuscation and evasion techniques.
The malware also employs stealth measures like Base64 and XOR encoding, randomization techniques, and environment sensitivity to enhance its elusive nature.
The targeted entity executes a malicious shortcut file, initiating the loading and execution of a new PowerShell backdoor payload code.
The SUBTLE-PAWS backdoor is embedded within another file contained in the same compressed archive.
Kolesnikov says possible proactive measures can include implementing user education programs to recognize potential exploitation via email, increasing awareness around the use of malicious.
Lnk payloads on external drives to spread in air-gapped and more compartmentalized environments, and enforcing strict policies and user file decompression to mitigate risks.
To enhance log detection coverage, Securonix advised deploying additional process-level logging, such as Sysmon and PowerShell logging.
The ongoing ground war in Ukraine has been waged in the digital realm as well, with Kyivstar, Ukraine's biggest mobile telecom operator, suffering a cyberattack in December that wiped out cell service for more than half of Ukraine's population.
In June 2023, Microsoft released details of Russian APT Cadet Blizzard, thought to be responsible for wiper malware deployed during the weeks leading up to Russia's invasion of Ukraine.
Cybersecurity attacks by Russian hacktivist groups - including Joker DPR threat group, thought to be tied to the state - also claimed to have breached the Ukraine military's battlefield management system DELTA, revealing real-time troop movements.
Beyond the conflict in Eastern Europe, threat groups in Iran, Syria, and Lebanon demonstrate the threat of cyberattacks in conflicts across the Middle East.
The growing sophistication of these threats indicates state-backed malicious actors are modernizing their malware techniques, and multiple threat groups are banding together to launch more complex attacks.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 01 Feb 2024 20:57:39 +0000