More malware strains utilized in attacks against Ukrainian targets are being uncovered by cybersecurity analysts. In a report, experts revealed details about an operation by the cybercriminal group Gamaredon (also tracked as Armageddon/Shuckworm) and their latest malware creation named Pteredo Backdoor.
Gamaredon is believed to be a Russian state-sponsored threat group that has shown continuous and prolonged interest in launching attacks against Ukraine. Its operations against targets in the country can be traced back to at least 2014. Since then, the group is believed to have carried over 5,000 attack operations targeting approximately 1,500 government, public, and private entities.
As for the Pteredo (Pteranodon) malware, analysis has revealed that it is likely a descendant of a backdoor that was offered on Russian hacker forums. The Gamaredon operatives acquired the threat and have further expanded its capabilities via specialized DLL modules. The currently identified four different versions of Pteredo can collect data from the breached devices, establish remote access connections, and are equipped with analysis-evasion techniques.
It should be noted that the payloads deployed in the attack against Ukrainian targets are different, but perform similar actions once activated. However, each payload communicates with a different Command-and-Control (C2, C&C) server address. The likely goal of Gamaredon hackers is to make the cleaning of targeted devices via anti-malware tools that much harder through the use of slightly different payloads.