As usual in november someone is trying to launch large scale cyber attacks on Ukraine. This time with a new malware Pterodo Windows backdoor. It is associated with the Gamaredon group (aka Pteradon) state sponsored hackers
As usual in november, since last years, someone is trying to launch cyber attacks against Ukraine. The National Computer Emergency Response Team (CERT-UA) and the Foreign Intelligence Service (SBU) of the country detected a new malware Pterodo Windows backdoor. It was targeting computers at Ukrainian government agencies. So the Kiev officials issues a warning of a pending large-scale cyber attack. Moreover, the malicous code is associated with the state-sponsored Gamaredon group (aka Pteradon). It has been active at least since 2013 and it targets individuals likely involved in the Ukranian government. This group’s attacks is mainly based on off-the-shelf software. Pterodo is a custom backdoor used to insert malware and collect information. Essentially for cyber espionage operations. The latest version activates only on Windows systems with language localization for Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar, and others associated with former Soviet states.
According to the Ukranian CERT-UA bulletin, the malware is used for cyber espionage operations. It emerges just days after FireEye and Crowdstrike reported a resurgence in “spear-phishing” attacks by APT29 (Cozy Bear)
According to the Ukranian CERT-UA bulletin, the new version of Pterodo generates a unique URL for command and control based on the serial number of the hard drive of the infected system. Data about the infected system is uploaded to that URL, allowing the attackers to analyze which tools to remotely install and run. The domains associated with the attack so far include updates-spreadwork.pw, dataoffice.zapto.org, and bitsadmin.ddns.net. Moreover the discovery of the new update of the malware comes just days after FireEye and Crowdstrike reported a resurgence in “spear-phishing” attacks against a wide range of organizations worldwide. And it bear the signature of APT29 (aka Cozy Bear, Office Monkeys, CozyCar, The Dukes, and CozyDuke). And also this threat group, as Pterodo, is connected with the Russian FSB. The difference of the two formations are just on the targeted countries. The first aims on Ukraine and the second on US and worldwide.