Graphiron Malware

A sophisticated threat actor with links to Russia has been discovered deploying new threatening software in targeted cyber attacks on Ukraine. The infostealer threat is tracked as Graphiron by cybersecurity experts. The espionage group behind the malware is known as Nodaria and is monitored by CERT-UA (Computer Emergency Response Team of Ukraine), who tagged it as UAC-0056.

Written in the Go programming language, the Graphiron malware is designed to gather a large amount of data from the infected machines, ranging from system information and credentials to screenshots and files. It is noteworthy that Graphiron appears to be part of an ongoing campaign aimed at Ukrainian targets. Details about the threatening operations and the Graphiron malware were revealed in a report by infosec experts.

Multiple Attack Campaigns Attributed to Nodaria

The hacker group Nodaria has been active since at least April 2021 and is known for deploying custom backdoors such as GraphSteel and GrimPlant in several campaigns following Russia's invasion of Ukraine. Some intrusions have included the use of the Cobalt Strike Beacon for post-exploitation. CERT-UA first detected their activity in January 2022, where they were using the SaintBot and the OutSteel malware in spear-phishing attacks against government entities. The hackers also have been linked to the destructive data wiper attack known as 'WhisperGate' or 'PAYWIPE,' targeting Ukrainian entities around the same time. Other names that the Nodaria hackers have been tracked include DEV-0586, TA471 and UNC2589.

The Graphiron Malware Capabilities

Graphiron is the newest threatening tool to join Nodaria's arsenal. It is an enhanced version of the hackers' previous malware GraphSteel. Once it has infiltrated the targeted device, Graphiron can execute shell commands and collect information from the system - including files, details, screenshots and SSH keys. It also stands out for its use of the Go version 1.18 (released in March 2022).

Evidence suggests Graphiron was initially used in attacks from October 2022 and remained active until at least mid-January 2023. Upon analyzing the infection chain, a two-staged process was discovered in which a downloader is employed to retrieve an encrypted payload containing the Graphiron malware from a remote server.