New Pterodo Backdoor Malware Detected By Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine detected a new malware Pterodo Windows backdoor that was targeting computers at Ukrainian government agencies. The officials in Kiev to issue a warning of a pending large-scale cyber-attack.

Pterodo, is associated with the Gamaredon threat group, and it is also known as Pteradon. This group’s attacks is mainly based on off-the-shelf software that are with the Ukrainian military and government targets. Pterodo is a custom backdoor used to insert malware and collect information. The latest version activates only on Windows systems with language localization for Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar, and other languages associated with former Soviet states; this makes it more difficult to perform automated analysis of the malware with certain tools.

According to the CERT-UA bulletin, the new version of Pterodo generates a unique URL for command and control based on the serial number of the hard drive of the infected system. Data about the infected system is uploaded to that URL, allowing the attackers to analyze which tools to remotely install and run. The domains associated with the attack so far include updates-spreadwork.pw, dataoffice.zapto.org, and bitsadmin.ddns.net.

In the past, the Security Service of Ukraine (SBU) has tied the Gamaredon group to Russia’s Federal Security Service (FSB). Coincidentally, the discovery of the new update to Pterodo comes just days after FireEye and Crowdstrike reported a resurgence in “spear-phishing” attacks against a wide range of organizations worldwide, which Crowdstrike researchers said bear the signature of the threat group Cozy Bear—another FSB-connected threat group.

The latest Cozy Bear campaign used spear-phishing emails sent from an account posing as a US State Department official—in one instance viewed by Reuters’ Christopher Bing, the message had a “from” field of State Department public affairs specialist Susan Stevenson. The targets of the Cozy Bear attacks include US government agencies, think tanks, and businesses.

Malware from the Cozy Bear group was identified as part of an infiltration of the Democratic National Committee’s network in 2016, operating more stealthily than the “Fancy Bear” malware tied to Russia’s Main Intelligence Directorate (GRU). The Cozy Bear malware family, also referred to as “The Dukes,” also targeted non-governmental organizations in the wake of President Donald Trump’s election. It has also had a long history of targeting US and NATO-related agencies and organizations.