Security News > 2023 > June > Russian hackers use PowerShell USB malware to drop backdoors
Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks.
Symantec's analysts report that Gamaredon's 2023 activity spiked between February and March 2023, while the hackers continued to maintain a presence on some compromised machines until May 2023.
Symantec sampled 25 variants of PowerShell scripts between January and April 2023, using varying levels of obfuscation and pointing to different Pterodo download IP addresses to resist static detection rules.
Once the victim launches those files, the PowerShell script enumerates all drives on the computer and copies itself to removable USB disks, increasing the likelihood of successful lateral movement within the breached network.
One one of the machines compromised by Gamaredon this year, Symantec's analysts found a "Foto.safe" file that is a base64-encoded PowerShell script.
"These USB drives are likely used by the attackers for lateral movement across victim networks and may be used to help the attackers reach air-gapped machines within targeted organizations," warned Symantec.
News URL
Related news
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware (source)
- Russian hackers attack Western military mission using malicious drive (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Russians lure European diplomats into malware trap with wine-tasting invite (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign (source)