New Graphiron info-stealer used in attacks against Ukraine

A Russia-linked threat actor has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.

Researchers from Broadcom Symantec spotted a Russia-linked ATP group, tracked as Nodaria (aka UAC-0056), deploying new info-stealing malware, dubbed Graphiron, in attacks against Ukraine.

The Nodaria APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.

The Graphiron malware allows operators to harvest a wide range of information from the infected systems, including system info, credentials, screenshots, and files.

The malicious code is written in Go programming language, it was first observed in October 2022 and was involved in attacks since at least mid-January 2023.

Graphiron comprises two-stage components: a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).

The downloader contains hardcoded C2 server addresses. Upon execution, the downloader will check against a blacklist of malware analysis tools by checking for running processes’ specific names (i.e. BurpSuite, WinDump, dumpcap, etc). If none of the blacklisted processes are found, it will connect to a C&C server and download and decrypt the payload before adding it to autorun.

The experts pointed out that the downloader runs just once, if it fails will be no more executed.

“Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the “.lock” and “.trash” extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe and MicrosoftOfficeDashboard.exe” reads the analysis published by Symantec.

“The payload is capable of carrying out the following tasks:

• Reads MachineGuid
• Obtains the IP address from https://checkip.amazonaws.com
• Retrieves the hostname, system info, and user info
• Steals data from Firefox and Thunderbird
• Steals private keys from MobaXTerm.
• Steals SSH known hosts
• Steals data from PuTTY
• Steals stored passwords
• Takes screenshots
• Creates a directory
• Lists a directory
• Runs a shell command
• Steals an arbitrary file

The malicious code uses a PowerShell command to steal passwords on the infected system.

The researchers highlighted similarities between Graphiron and older tools in the Nodaria’s arsenal, such as GraphSteel and GrimPlant.

The cyberespionage group Nodaria was linked to the WhisperGate wiper attacks against Ukrainian government computers and websites in January 2022.

The attack chain used by the APT group usually starts with spear-phishing messages, which are then used to deliver a malicious payload to victims. The list of custom tools used by the group includes:

• Elephant Dropper: A dropper
• Elephant Downloader: A downloader
• SaintBot: A downloader
• OutSteel: Information stealer
• GrimPlant (aka Elephant Implant): Collects system information and maintains persistence
• GraphSteel (aka Elephant Client): Information stealer

“While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.” Symantec concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Graphiron)