Giddome Backdoor Linked to Russian Threat Actor
Security researchers with Symantec recently published a report on new activity conducted by Russian threat actors and aimed at Ukrainian targets.
The threat actor is known by several aliases, including Gamaredon and Shuckworm.
Researchers identified several different executable files as variants of the Giddome backdoor - a tool that is associated with Shuckworm. All files had the string "ntuser" at the start of their names. The file extensions were .VCD and .H264, one being a disk image file format and the other - a video file format.
The disk image and video file had child process executables with the same names, only with an .exe extension.
The Giddome has a rich set of malicious capabilities including recording and capturing audio using a microphone found on the victim system, taking screenshots and sending them to remote servers, keystroke logging and remote file downloading and execution capabilities.
The recent attacks that employed the Giddome backdoor to target entities in Ukraine also used compromised instances of remote desktop management tools such as AnyDesk and Ammyy Admin.