LitterDrifter Worm

Cyber espionage operatives linked to Russia's Federal Security Service (FSB) have been detected employing a USB-propagating worm named LitterDrifter in assaults directed at Ukrainian entities.

The entity orchestrating this offensive is identified as Gamaredon, also known by aliases such as Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm and Winterflounder. Recent strategies employed by these hackers characterize the group as conducting extensive campaigns, followed by meticulous data collection efforts aimed at specific targets. The selection of these targets is presumed to be driven by espionage objectives.

LitterDrifter Has Spread Beyond Its Initial Targets

The LitterDrifter worm boasts two primary functionalities: it automatically disseminates the malware through connected USB drives and establishes communication with the threat actor's Command-and-Control (C2, C&C) servers. There are suspicions that it represents an advancement from a previously disclosed PowerShell-based USB worm, which researchers unveiled in June 2023.

Crafted in VBS, the spreader module takes on the responsibility of distributing the worm discreetly within a USB drive, accompanied by a decoy LNK with randomly assigned names. The nomenclature "LitterDrifter" is derived from the initial orchestration component named 'trash.dll.'

Gamaredon adopts a distinctive approach to the C&C, utilizing domains as placeholders for the actual IP addresses employed as C2 servers.

Moreover, LitterDrifter exhibits the capability to connect to a C&C server extracted from a Telegram channel, a tactic consistently employed by the threat actor since early 2023. Cybersecurity experts have identified potential signs of infection beyond Ukraine, with detections indicating activity in the U.S., Vietnam, Chile, Poland, Germany and Hong Kong.

Gamaredon is Evolving Its Attack Techniques

Throughout the current year, Gamaredon has maintained an active presence, consistently adapting its attack strategies. In July 2023, the adversary's swift data exfiltration prowess became evident, as the threat actor managed to transmit sensitive information within just one hour of the initial compromise.

It is evident that LitterDrifter was specifically crafted to facilitate an extensive collection operation. Employing straightforward yet efficient techniques, the malware ensures it can reach a broad spectrum of targets in the region.

Threat Actors Show Increase Activity Since the Start of the Russia-Ukraine War

The unfolding events coincide with Ukraine's National Cybersecurity Coordination Center (NCSCC) disclosing incidents of state-sponsored Russian hackers orchestrating attacks on embassies across Europe, including Italy, Greece, Romania and Azerbaijan.

Attributed to APT29 (also known as Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard and more), these intrusions exploit the recently revealed WinRAR vulnerability (CVE-2023-38831) through deceptive lures, such as claims of BMWs for sale, a theme previously employed by the threat actor.

The attack sequence initiates with the distribution of phishing emails to victims containing a link to a specially crafted ZIP file. Upon launching, the flaw is exploited to fetch a PowerShell script from a remote server hosted on Ngrok. The recurrent exploitation of the CVE-2023-38831 vulnerability by Russian intelligence services hacking groups underscores its increasing popularity and sophistication.

Furthermore, CERT-UA (the Computer Emergency Response Team of Ukraine) has disclosed information about a phishing campaign disseminating unsafe RAR archives. These archives purport to contain a PDF document from the Security Service of Ukraine (SBU). However, in reality, they house an executable that leads to the deployment of the Remcos RAT.