LitterDrifter is malware programmed to spread via USB. Created by the Russian group Gamaredon, it initially targeted Ukraine, but is now spreading well beyond the country’s borders.
Even though the Ukrainian authorities did not seem too concerned about Russian cyberattacks during the conflict, it turns out that software designed to target the country has escaped its borders. The Gamaredon group, which is the origin of its design, is known to maintain close links with the Russian Federal Security Service (FSB). It is one of the Russian intelligence services, equivalent to the Soviet KGB. LitterDrifter, as it’s nicknamed, has been spotted in several countries.
Genesis and characteristics of LitterDrifter
The Gamaredon group is known by several names: ACTINIUM, Primitive Bear or Shuckworm. It is rather unique in the Russian cyberespionage landscape due to its capacity for large-scale action. Nothing to do with the LockBit ransomware (which just attacked Boeing five days ago) since the group has mainly targeted Ukraine since its creation in 2013. Another important point of distinction: Check Point Resarch indicates that it is progressing to face uncovered, unlike other Russian cyberespionage groups.
This team has been using several malware for several years (ObfuMerry, Pterodo, DinoTrain for the best known), and their latest creation is LitterDrifter. Written in VBScript, it has two main functionalities:
- It can receive orders remotely from command and control servers.
- It spreads automatically via USB.
It sits comfortably in operating systems, particularly Windows, where it is capable of adding new scheduled tasks and registry keys. It thus exploits Windows Management Instrumentation (WMI), an essential component of the OS which supervises operations and data. This allows it to target and subsequently infect USB drives easily.
Uncontrolled expansion and consequences
LitterDrifter was originally developed to spread only in Ukraine, but this is no longer the case. It has been detected in several other countries including Germany, the United States, Vietnam, Poland and Chile. Bad news, which shows that Gamaredon has completely lost control over the spread of its malware and is now targeting unwanted victims.
Every time a USB stick connects to a compromised system, the malware attempts to infect it and subsequently contacts a C2C server, well hidden behind a network of dynamic IP addresses. This makes tracking malicious activity much more complex to detect, because C2C servers designed this way can frequently change their access point. Using multiple IP addresses also makes the server more robust since it allows traffic load to be distributed between addresses.
At this time, Check Point Research has not detected any payload (data theft, ransomware, creation of backdoors or DDoS attacks for example) during its analysis. This could mean that LitterDrifter is only the beginning of a more elaborate attack on an international scale. A perfect illustration of the unpredictable and potentially devastating nature of some modern malware.
Source : Techspot
6