Giddome Backdoor

The Giddome Backdoor threat is a staple in the harmful arsenal of a cybercriminal organization tracked under the names Shuckworm, Gamaredon and Armageddon. The malware threat is deployed against targets in Ukraine, behavior consistent with the previous activities of the hacker group.

The attack operation achieved initial access to the victims' devices via phishing messages delivering a self-extracting 7-Zip archive file, which fetched an XML file from a subdomain associated with Shuckworm. Alternatively, the threat actors utilized VBS downloaders to fetch the threatening payloads. In addition to the Giddome Backdoor, the cybercriminals deployed variants of the Pterodo backdoor threat, as well as several variants of a PowerShell info-stealer. Details about these threats and the attack operation were released to the public in a report by malware researchers.

Once activated on the victim's device, Giddome can be instructed to take control of the microphone and make audio recordings. The created files would then be uploaded to a remote location controlled by the attackers. The threat also is capable of taking arbitrary screenshots and uploading them as well. To obtain sensitive information, Giddome can establish keylogging routines on the device, capturing the inputs of the victims. In addition, the backdoor can be used to fetch .exe and .dll files and execute/load them on the breached devices, giving the attackers the ability to deliver additional payloads.

The Shuckworm cybercriminal group is believed to be tightly connected to Russia, if not a part of the country's Federal Security Force (FSB). Activities attributed to Shuckworm have traced back as far as 2014 with the attack operations having consistently been targeted at key public and private Ukrainian entities. Since the Russian invasion of Ukraine, the hackers have become even more active in launching phishing attacks and deploying new malware strains and variants.