Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities.
Check Point, which detailed Gamaredon’s (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are followed by “data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals.”
The LitterDrifter worm packs in two main features: automatically spreading the malware via connected USB drives as well as communicating with the threat actor’s command-and-control (C&C) servers. It’s also suspected to be an evolution of a PowerShell-based USB worm that was previously disclosed by Symantec in June 2023.
Written in VBS, the spreader module is responsible for distributing the worm as a hidden file in a USB drive together with a decoy LNK that’s assigned random names. The malware gets its name LitterDrifter owing to the fact that the initial orchestration component is named “trash.dll.”
“Gamaredon’s approach towards the C&C is rather unique, as it utilizes domains as a placeholder for the circulating IP addresses actually used as C2 servers,” Check Point explained.
LitterDrifter is also capable of connecting to a C&C server extracted from a Telegram channel, a tactic it has repeatedly put to use since at least the start of the year.
The cybersecurity firm said it also detected signs of possible infection outside of Ukraine based on VirusTotal submissions from the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
Gamaredon has had an active presence this year, while continuously evolving its attack methods. In July 2023, the adversary’s rapid data exfiltration capabilities came to light, what with the threat actor transmitting sensitive information within an hour of the initial compromise.
“It’s clear that LitterDrifter was designed to support a large-scale collection operation,” the company concluded. “It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region.”
The development comes as Ukraine’s National Cybersecurity Coordination Center (NCSCC) revealed attacks orchestrated by Russian state-sponsored hackers targeting embassies across Europe, including Italy, Greece, Romania, and Azerbaijan.
The intrusions, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), involve the exploitation of the recently disclosed WinRAR vulnerability (CVE-2023-38831) via benign-looking lures that claim to offer BMWs for sale, a theme it has employed in the past.
The attack chain commences with sending victims phishing emails containing a link to a specially crafted ZIP file that, when launched, exploits the flaw to retrieve a PowerShell script from a remote server hosted on Ngrok.
“A concerning trend of exploiting CVE-2023-38831 vulnerability by Russian intelligence services hacking groups demonstrates its growing popularity and sophistication,” NCSCC said.
Earlier this week, the Computer Emergency Response Team of Ukraine (CERT-UA) unearthed a phishing campaign that propagates malicious RAR archives that masquerades as a PDF document from the Security Service of Ukraine (SBU) but, in reality, is an executable that leads to the deployment of Remcos RAT.
CERT-UA is tracking the activity under the moniker UAC-0050, which was also linked to another spate of cyber attacks aimed at state authorities in the country to deliver Remcos RAT in February 2023.
Leave a Reply