A bunch of Russian-state hackers identified for nearly completely concentrating on Ukranian entities has branched out in current months both by chance or purposely by permitting USB-based espionage malware to contaminate a wide range of organizations in different international locations.
The group—identified by many names, together with Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm—has been lively since no less than 2014 and has been attributed to Russia’s Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed teams take pains to fly beneath the radar; Gamaredon does not care to. Its espionage-motivated campaigns concentrating on massive numbers of Ukrainian organizations are straightforward to detect and tie again to the Russian authorities. The campaigns sometimes revolve round malware that goals to acquire as a lot data from targets as potential.
One of these instruments is a pc worm designed to unfold from pc to pc by means of USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written within the Visual Basic Scripting language. LitterDrifter serves two functions: to promiscuously unfold from USB drive to USB drive and to completely infect the units that connect with such drives with malware that completely communicates with Gamaredon-operated command and management servers.
“Gamaredon continues to focus on [a] wide variety [of] Ukrainian targets, but due to the nature of the USB worm, we see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and Germany,” Check Point researchers reported lately. “In addition, we’ve observed evidence of infections in Hong Kong. All this might indicate that much like other USB worms, LitterDrifter [has] spread beyond its intended targets.”
Enlarge / Virus Total Submissions of LitterDrifter
Check Point Research
The picture above, monitoring submissions of LitterDrifter to the Alphabet-owned VirusTotal service, signifies that the Gamaredon malware could also be infecting targets nicely outdoors the borders of Ukraine. VirusTotal submissions often come from folks or organizations that encounter unfamiliar or suspicious-looking software program on their networks and need to know if it’s malicious. The knowledge means that the variety of infections within the US, Vietnam, Chile, Poland, and Germany mixed could also be roughly half of these hitting organizations inside Ukraine.
Enlarge / The execution movement of LitterDrifter.
Check Point Research
Worms are types of malware that unfold with out requiring a consumer to take any motion. As self-propagating software program, worms are infamous for explosive development at exponential scales. Stuxnet, the worm created by the US National Security Agency and its counterpart from Israel, has been a cautionary story for spy businesses. Its creators supposed Stuxnet to contaminate solely a comparatively small variety of Iranian targets collaborating in that nation’s uranium enrichment program. Instead, Stuxnet unfold far and large, infecting an estimated 100,000 computer systems worldwide. Non-USB-activated worms equivalent to NotPetya and WannaCry have contaminated much more.
LitterDrifter gives an identical means for spreading far and large. Check Point researchers defined:
The core essence of the Spreader module lies in recursively accessing subfolders in every drive and creating LNK decoy shortcuts, alongside a hidden copy of the “trash.dll” file.
Enlarge / trash.dll is distributed as a hidden file in a USB drive along with a decoy LNK.
Upon execution, the module queries the pc’s logical drives utilizing Windows Management Instrumentation (WMI), and searches for logical disks with the MediaType worth set to null, a way usually used to establish detachable USB drives.
Enlarge / LitterDrifter’s spreader part.
Check Point Research
For every logical drive detected, the spreader invokes the createShortcutsInSubfolders perform. Within this perform, it iterates the subfolders of a offered folder as much as a depth of two.
For each subfolder, it employs the CreateShortcut perform as a part of the “Create LNK” motion, which is accountable for producing a shortcut with particular attributes. These shortcuts are LNK information which might be given random names chosen from an array within the code. This is an instance of the lure’s names from an array in one of many samples that we investigated:("Bank_accоunt", "постановa", "Bank_accоunt", "службовa", "cоmpromising_evidence"). The LNK information use wscript.exe **** to execute “trash.dll” with specified arguments " ""trash.dll"" /webm //e:vbScript //b /wm /cal ". In addition to producing the shortcut, the perform additionally creates a hidden copy of “trash.dll” within the subfolder.
Enlarge / The perform within the Spreader part used to iterate subfolders.
Check Point Research
The methods described are comparatively easy, however as evidenced, they’re loads efficient. So a lot in order that they’ve allowed it to interrupt out of its earlier Ukrainian-only concentrating on area to a a lot larger realm. People who need to know in the event that they’ve been contaminated can test the Check Point submit’s indicators of compromise part, which lists file hashes, IP addresses, and domains used by the malware.
“Comprised of two primary components—-a spreading module and a C2 module—it’s clear that LitterDrifter was designed to support a large-scale collection operation,” Check Point researchers wrote. “It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region.”
