BleepingComputer reports that trojanized removable drives have been harnessed by the Russian state-sponsored threat operation Gamaredon, also known as Shuckworm, to distribute a new GammaSteel information-stealing malware variant in an attack campaign against a Western country's military mission in Ukraine between February and March.
Initial external drive infection indicated by a new UserAssist key value within the targeted system's Windows registry was followed by the establishment and execution of a pair of files, with the first managing command-and-control and the second facilitating further compromise of other removal drives with LNK files, according to an analysis from Symantec. After obtaining screenshots and other device information through a reconnaissance PowerShell script, Gamaredon launched a PowerShell-based GammaSteel version that allowed the exfiltration of numerous document types across different locations via PowerShell web requests before adding a new key for persistence. Such findings were regarded by Symantec researchers to indicate Gamaredon's initiatives to bolster its covert operations amid its relative lack of sophistication among other Russian state-backed hacking groups.
Initial external drive infection indicated by a new UserAssist key value within the targeted system's Windows registry was followed by the establishment and execution of a pair of files, with the first managing command-and-control and the second facilitating further compromise of other removal drives with LNK files, according to an analysis from Symantec. After obtaining screenshots and other device information through a reconnaissance PowerShell script, Gamaredon launched a PowerShell-based GammaSteel version that allowed the exfiltration of numerous document types across different locations via PowerShell web requests before adding a new key for persistence. Such findings were regarded by Symantec researchers to indicate Gamaredon's initiatives to bolster its covert operations amid its relative lack of sophistication among other Russian state-backed hacking groups.
