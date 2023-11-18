Some malicious Russians involved in the cyber espionage and affiliates of the Federal Security Service (FSB) have been observed using a worm that is propagated via USB called LitterDrifter in targeted attacks on Ukrainian government entities.

Where LittleDrifter comes from

Check Point, which issued a detailed report the latest tactics of Gamaredon (group or person also known as Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm and Winterflounder), reported that the group that created LittleDrifter is responsible for large-scale campaigns followed by “data collection efforts aimed at specific targets, the selection of which is likely motivated by espionage objectives“.

The LitterDrifter worm has some peculiar characteristics: the first is the automatic spread of malware via connected USB drives and the second is communication with command and control (C&C) servers of the malicious person; it is also suspected to be an evolution of a PowerShell-based USB worm that came before disclosed from Symantec in June 2023.

Written in VBS, LittleDrifter’s diffusion module is responsible for distributing the worm as a hidden file on a USB drive along with a randomly named fictitious LNK; the malware gets its name LitterDrifter from the fact that the initial orchestration component is called “trash.dll”.

“Gamaredon’s approach to C&C is quite unique, using domains as placeholders for IP addresses in circulation actually used as C2 servers“, explains Check Point.

LitterDrifter is also able to connect to a C&C server taken from a Telegram channela tactic he used repeatedly at least since the beginning of the year.

The cybersecurity firm said it had detected signs of possible infections outside Ukrainebased on VirusTotal reports from the United States, Vietnam, Chile, Poland, Germany and Hong Kong.

Gamaredon has had an active presence this year, continually evolving its attack methods; in July 2023, the rapids emerged data exfiltration capabilities of the enemy, with the cyber criminal that transmits sensitive information within an hour of the initial compromise.

“It’s clear that LitterDrifter was designed to support a large-scale collection operation“, concluded the company. “Use simple but effective techniques to ensure we can achieve the broadest possible set of objectives in the region“.

The development comes as Ukraine’s National Cybersecurity Coordination Center (NCSCC) has revealed attacks orchestrated by Russian hackers sent by Russia itself which they are targeting European embassies, including those in Italy, Greece, Romania and Azerbaijan.

The intrusions, attributed to APT29 (group also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard and The Dukes), involve the exploitation of the recently disclosed WinRAR vulnerability (CVE-2023-38831) through benign-looking lures claiming to offer BMWs for sale, a theme already used in the past.

The attack chain begins by sending users phishing emails containing a link to a specially created ZIP file which, once launched, exploits the flaw to retrieve a PowerShell script from a remote server hosted on Ngrok.

“A Worrying Trend of Exploiting CVE-2023-38831 Vulnerability by Russian Intelligence Hacking Groups demonstrates its growing popularity and sophistication“, the NCSCC said.

Earlier this week, the Computer Emergency Response Team of Ukraine (CERT-UA) has discovery a phishing campaign that spreads malicious RAR archives disguised as a PDF document by the Security Services of Ukraine (SBU), but which is actually an executable leading to the release of Remcos RAT.

CERT-UA is tracking the activity under the nickname UAC-0050, which has also been linked to another series of cyberattacks targeting state authorities in the country to deploy Remcos RAT in February 2023.