At a glance.
- Shuckworm continues targeting Ukrainian entities.
- North Korean APT targets South Korean journalists.
- Conti's name-and-shame operation.
Shuckworm continues targeting Ukrainian entities.
Researchers at Symantec warn that the Russian cyberespionage group Shuckworm (also known as Gamaredon) is continuing "an intense cyber campaign against organizations in Ukraine":
"One of the hallmarks of the group’s recent activity is the deployment of multiple malware payloads on targeted computers. These payloads are usually different variants of the same malware (Backdoor.Pterodo), designed to perform similar tasks. Each will communicate with a different command-and-control (C&C) server.
"The most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer. If one payload or C&C server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate.
"Symantec’s Threat Hunter Team, part of Broadcom Software, has found four distinct variants of Pterodo being used in recent attacks. All of them are Visual Basic Script (VBS) droppers with similar functionality. They will drop a VBScript file, use Scheduled Tasks (shtasks.exe) to maintain persistence, and download additional code from a C&C server. All of the embedded VBScripts were very similar to one another and used similar obfuscation techniques."
North Korean APT targets South Korean journalists.
Stairwell has analyzed a spearphishing campaign by North Korea's APT37 targeting South Korean journalists with GOLDBACKDOOR malware. The campaign was first discovered by NK News, which was impersonated in the campaign. Stairwell's researchers found that the spearphishing emails were sent from a compromised personal email account of a former director of South Korea’s National Intelligence Service (NIS):
"One of these artifacts was a new malware sample we have named GOLDBACKDOOR, based on an embedded development artifact. Stairwell assesses with medium-high confidence that GOLDBACKDOOR is the successor of, or used in parallel with, the malware BLUELIGHT, attributed to APT37 / Ricochet Chollima. This assessment is based on technical overlaps between the two malware families and the impersonation of NK News, a South Korean news site focused on the DPRK."
Conti's name-and-shame operation.
Secureworks has analyzed GOLD ULRICK, the criminal threat actor behind the Conti ransomware gang's data leaking operation:
"The Conti leak site listed an average of 43 victims per month in 2021. Despite a drop following the Colonial Pipeline attack and a peak of 95 victims listed in November, the rate of naming victims was fairly consistent. The decreased activity in December 2021 and January 2022 across all name-and-shame ransomware groups was likely due to a holiday break. The number of victims added to the Conti leak site increased in February 2022. On February 27, the @ContiLeaks Twitter persona began leaking GOLD ULRICK data and communications. Despite these public disclosures, the number of Conti victims posted in March surged to the second-highest monthly total since January 2021."