Yoroi-ZLab analyzed in depth the Gamaredon’s Pterodo backdoor, a malware was massively used in the last Russian APT campaign against Ukraine
Gamaredon is a Russian state-sponsored APT, active at least since 2014, that has launched a cyber war against Ukraine with different tools. In the recent months the group intensified attacks against military targets, exploiting the Pterodo (aka Pteranodon) backdoor, as cyber security expert Vitali Kremez discovered. Yoroi-ZLab team decided to deep dive into a technical analysis of this latest implant. The complex infection chain begins with a weaponized Office document named “f.doc”. The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it. It leverages the common exploit (template injection) and tries to download a second stage. Moreover, thanks to Remote Code Execution, user interaction is not required. in fact the “enable macro” button is not shown.
Despite the campaign was discovered, the group’s C2 domain is still active
According to the cyber security experts, Gamaredon Pterodon second stage document requires the enabling of the macro. The body can be divided into two distinct parts: the first one is the setting of the registry key and the declaration of some other variables; the second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “templates.vbs”. This vbs is properly the macro executed by the word engine. “Templates.vbs” defines a variable containing a URL. The implant tries to download another stage, a SFX archive. Finally the macros are executed. The Russian APT malware tries to save the C2 response and encoding it using Encode function. This accepts three parameters: input file, output file and arrKey. The web page relative to C2 shows a “Forbidden message”. This means that the domain is still active but refuses incoming requests.
The cyber security experts: Although the Gamaredon modus operandi has remained almost identical over the years, the introduction of a .Net component is a novelty
Yoroi-ZLab researchers underline Gamaredon cyberwarfare operations against Ukraine are still active. Their technical analysis reveals that the modus operandi of the APT has remained almost identical over the years. The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dinamically changes, make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous malware samples. The objective is always the same: to collect sensitive information or maintaining access on compromised machines.