A sophisticated Russian Advanced Persistent Threat (APT) has launched a targeted PowerShell attack campaign against the Ukrainian military.
The attack is most likely perpetrated by malicious threat actors related to Shuckworma group with a history of campaigning against Ukraine, motivated by geopolitical, espionage and disruption interests.
The malicious campaign, tracked by Securonix under the name STEADY#URSA, uses a recently discovered SUBTLE-PAWS PowerShell-based backdoor to infiltrate and compromise targeted systems.
This type of backdoor allows threat actors to gain unauthorized access, execute commands, and maintain persistence within compromised systems.
The attack methodology involves distributing a malicious payload via compressed files sent via phishing emails.
Malware distribution and lateral movement occurs via USB drives, thus eliminating the need for direct network access.
The report notes that this type of approach would be made difficult due to Ukraine’s communications such as Starlink.
The campaign bears similarities to the Shuckworm malware and incorporates distinct tactics, techniques, and procedures (TTPs). observed in previous cyber campaigns against the Ukrainian army.
Oleg Kolesnikov, vice president of threat research and data science/AI for Securonix, explains that SUBTLE-PAWS differentiates itself by its “fairly exclusive” reliance on off-disk/PowerShell stagers for execution, avoiding traditional binary payloads . It also employs additional layers of obfuscation and evasion techniques.
“These include encryption, command splitting, and registry-based persistence to evade detection, among others,” he says.
It establishes command and control (C2) by communicating via Telegram with a remote server, using adaptive methods such as DNS queries and HTTP requests with dynamically stored IP addresses.
The malware also employs stealth measures such as Base64 and XOR encoding, randomization techniques, and environmental sensitivity to enhance its elusive nature.
The targeted entity executes a malicious shortcut (.lnk) file, triggering the loading and execution of a new PowerShell backdoor payload code.
The SUBTLE-PAWS backdoor is embedded within another file contained in the same compressed archive.
Kolesnikov says possible proactive measures may include implementing user education programs to recognize potential email exploitation, raising awareness about the use of malicious .lnk payloads on external drives to spread in air gap environments, and more compartmentalized and enforce strict policies and decompression of user files. to mitigate risks.
“To strengthen USB drive security, organizations should implement device control policies to limit unauthorized USB use and regularly scan removable media for malware using advanced endpoint security solutions,” he says.
To improve log detection coverage, Securonix recommended implementing additional process-level logging, such as Sysmon and PowerShell logging.
“Organizations should also enforce strict application whitelisting policies [and] implement advanced email filtering, adequate system monitoring, and endpoint detection and response solutions to monitor and block suspicious activity,” says Kolesnikov.
Cyber threats, state actors
Ukraine’s ongoing ground war has also been fought in the digital realm, with Kyivstar, Ukraine’s largest mobile telecommunications operator, suffered a cyber attack in December which wiped out cell service for more than half of Ukraine’s population.
In June 2023, Microsoft released details of the Russian APT Cadet Blizzardbelieved to be responsible for the wiper malware spread in the weeks preceding Russia’s invasion of Ukraine.
Cybersecurity attacks by Russian hacktivist groups – including the Joker DPR threat group, believed to be linked to the state – claimed to have breached the Ukrainian army’s battlefield management system DELTA, revealing troop movements in real time.
In addition to the conflict in Eastern Europe, there are also threat groups Iran, SyriaAND Lebanon demonstrate the threat of cyber attacks in conflicts across the Middle East. The growing sophistication of these threats indicates that state-backed malicious actors are modernize your malware techniques and multiple threat groups are coming together to launch more complex attacks.