A joint effort of the Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine revealed new modifications of Pterodo malware in computers used in Ukraine's state agencies, which indicates that preparations are likely underway for a massive cyber attack.

"The malware collects data about the system, regularly sends them to the command and control servers and waits for further commands," reads the report published on the CERT-UA website.

Regarding the NEW-SAR_v.14 version, experts note that the main difference of new modifications from previous versions is that the system can become infected via flash drives and other removable storage media, as well as flash drives connected to the affected machine could be infected for further malware distribution, UNIAN agency reported.

Documents (.doc, .docx), images (.jpg) and text files (.txt) are copied to a hidden MacOS folder with the names FILE . (for example, FILE3462.docx), while on flash drives, shortcuts are created with the original file names, which ensure simultaneous opening of the original file copied to the MacOS folder and the execution of the created malicious usb.ini file.

The virus body performs the same functions as in its previous versions: it sends information about the system, updates itself, and downloads components if available.

In addition, the new version is activated only on systems with localization of languages of the post-Soviet states, namely, Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar and others, which complicates the analysis of the virus with popular automated malware analysis systems.

Regarding the arm_02.10 version, it is noted that the main difference of the modification is that the message is displayed when the file is activated, which reduces the probability of the user assuming that the malware is running. In addition, in this version, for each affected system, an individual url-directory with the serial number of the drive on which the system is installed, for example, bitsadmin.ddns [.] Net / 00000 / setup.exe, where “00000” is the serial number, indicates that the attackers analyze the information received about the infected system and, individually for each system, determine which new applications to load and launch.

Also in their report, the joint team of experts identified indicators of compromise (IOC), harmful domains and IPs, malicious files, directories in which these files are located, tasks in the task manager, and countermeasures to remove the virus.

Recommendations have been issued for preventing cyber threats:

- Prohibit the opening of attachments in suspicious messages (for example: when the sender changed the language of communication for reasons unknown; the letter’s topic is atypical for the sender, the way the sender addresses the addressee is atypical, etc. as well as when messages have non-standard text, prompting the recipient to switch to suspicious links or to open suspicious files - archives, exe.files, etc.);

- Disable the autorun of removable media (flash drives) and check them with antivirus when connected;

- If a suspicious letter comes from a well-known addressee, verify by phone (or in any other way), whether it was them who actually sent it, and, if needed, save it on a disk, archive it and, forward it to CERN-UA via email for a checkup;

- Remain vigilant in any non-standard situations, for example, when an operating system displays a message that a file cannot be opened, certain software must be installed, or when permission is requested to perform a certain operation;

- Disconnect the suspicious device from the internet for further inspection; - Disable encryption if enabled;

- Check for macro exceptions in Microsoft Office Word;

- Use antivirus systems with updated signature databases, as well as licensed, updated operating system and software;

- Regularly back up important files, update passwords for access to important systems, and scan systems with antivirus.