Pterodo Backdoor

Researchers recently discovered a new iteration of the GAMAREDON APT campaign operating with Pterodo Backdoor malware. This campaign targets governments and state authorities of Ukraine, Belarus, Armenia, Aziberjan, Uzbekistan, Tatarstan and others. The malware associated with the Pterodo backdoor is able to collect data from the systems and execute command and control capabilities that are typical for backdoor malware families. The main update with this backdoor is the ability to spread infections across devices by utilizing flash drives and other removable media that have been previously connected to a compromised system.

This backdoor malware is spread through Word documents (.doc, .docx), images (.jpg) and text files (.txt), which are capable of infecting not only Windows-based systems, but MacOS systems as well. Notably, the malware is packaged as a self-extracting zip-archive (.SFX), that contains batch scripts, XOR decoder tool, and obfuscated code, which makes it difficult to analyze using popular automatic systems and software. The malware also includes evasive and persistent capabilities to avoid detection. Such implants usually have a long time to live and try to remain quietly in the system for on-going data exfiltration and to launch future cyber attacks.

Umbrella blocks the domains that are tied to malicious files and IP addresses associated with IOCs for Pterodo backdoor. Umbrella uses AV engines and Cisco Advanced Malware Protection (AMP) to block malicious files before they are downloaded. AMP detects Pterodo Backdoor malware as Trojan.Win32.PTERODO.NP and Umbrella proactively blocks the threat.

splin-upd[.]site, splin-upd1[.]site, torrent-supd[.]space, torrent-stel[.]space, splin-body[.]site, splin-body1[.]site, dataoffice.zapto[.]org, bitsadmin.ddns[.]net, updates-spreadwork[.]pw, 185.231.154.25, 194.58.56.68, 194.58.56.51, 194.58.56.60, 194.58.56.42, 194.58.56.72