Pteranodon

Pteranodon is a backdoor Trojan that's specific to the Gamaredon Group, a threat actor that, traditionally, targets Ukrainian military and government networks. Pteranodon can download and execute other files, copy your media, and take screenshots for uploading to its server. Updated anti-malware tools should delete Pteranodon, and appropriate network security services can eliminate contact with Gamaredon Group's network, which recycles publicized domains.

Flying into Your PC on a ZIP-Archived Breeze

In most contexts, the term of Pteranodon refers to a winged reptile that's famously mistaken for a dinosaur, but in the case of PC security, it can reference something even more ominous than the wingspan of a twenty-foot aerial predator. The threat first labeled Pteranodon by a Californian cyber-security company is a backdoor Trojan whose presence is a signature of attacks by the Gamaredon Group. Both the infrastructure and software components in use by this threat actor imply at least a familiarity with Russia and neighboring regions, and potentially, Russian state sponsorship.

Pteranodon came to the threat landscape in 2016, three years after the earliest apparent attacks of Gamaredon. Its presence on compromised systems was a notable shift from previous techniques that stress the use of pre-fabricated Trojans and utilities like Remote Manipulator System, a remote desktop administration application. The features that Pteranodon leverages on behalf of its threat actor include:

• Pteranodon can remain persistent on the system by copying itself to Startup or scheduling tasks for itself.
• Pteranodon can download other files and execute them, potentially, for installing other threats.
• Pteranodon searches for files of specific formats and creates copies of them for the threat actor's perusal.
• Pteranodon may capture screenshots at variable intervals, depending on its local configuration, and upload them to the Command & Control server.
• Pteranodon also executes CMD commands that can further manipulate the file system.

An especially characteristic infection vector for Pteranodon and other Trojans from the Gamaredon Group use SFX or password-protected ZIP archives. The password – one of several obfuscation techniques – requires no user interaction since malware experts note that these files are self-extracting.

Bringing Pteranodon to a Rightful Extinction

With both dedicated backdoor and data-exfiltration aspects to its payload, Pteranodon is a classic example of a Trojan that fits into the norms of state-sponsored Trojan campaigning by opening a narrow, but potent, two-way tunnel between hackers and the compromised PC. The combination of archive compression, usage of batch scripts, and abuse of 'legitimate' software, also, increases the difficulty of identifying infections related to the Gamaredon Group. Updating one's security software's threat databases, if it's possible, is recommended.

However, Pteranodon's threat actor includes an Achilles' heel: mostly-consistent C&C domains that comprise of both hijacked sites from other entities and dedicated, corrupted ones. Most of the network-communicating configuration for threats of this group is hard-coded, and there are cases of the same domains in use in different attacks. Network-monitoring tools and appropriate firewall settings may be viable defenses against Gamaredon Group.

Beyond disrupting its network communications, users, especially, Ukranian government employees, can maintain conservative e-mail behavior, server credentials and RDP policies for limiting attacks. Modern anti-malware tools, still, have the best chance of finding and removing Pteranodon before it collects data or deposits other threats.

Pteranodon is much more lively than its long-dead namesake. It has many precautions against analysis, including a mouse-checking loop, but even the best black hat programming struggles against targets who remember the fundamentals of securing their networks.