Pierluigi Paganini
November 18, 2023
Check Point researchers observed Russia-linked Gamaredon spreading the worm called LitterDrifter via USB in attacks against Ukraine.
Gamaredon (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) has been active since 2014 and its activity focuses on Ukraine, the group was observed using the multistage backdoor Pteranodon/Pterodo.
The Gamaredon APT group continues to carry out attacks against entities in Ukraine, including security services, military, and government organizations.
Since the beginning of the Russian invasion of Ukraine, the cyber espionage group has carried out multiple campaigns against Ukrainian targets. CERT-UA has monitored Gamaredon operations and was able to gather intelligence on the APT’s tactics, techniques, and procedures (TTPs).
Check Point states that the Gamaredon group usually carries out large-scale campaigns followed by intelligence-gathering activities. In the latest attacks, the group employed the USB-propagating worm LitterDrifter.
The LitterDrifter worm is written in VBS, it supports two main features: automatic USB propagating and communication with a broad, flexible set of C2.
“These features are implemented in a manner that aligns with the group’s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets.” reads the analysis published by CheckPoint. “LitterDrifter seems to be an evolution of a previously reported activity tying Gamaredon group to a propagating USB Powershell worm.”
The two functionalities are implemented in an orchestration component saved to disk as “trash.dll”, which is actually a VBS script instead of a DLL.
Upon running the orchestration component, it decodes and run the other modules and maintains persistence on the infected system.
The two extracted modules:
1. Spreader module allows the malware to spread within the system and potentially targets other environments by prioritizing infection of a logical disk with mediatype=NULL, usually associated with USB removable media.
2. C2 Module establishes communication with the attacker C&C server and executes incoming payloads. This component retrieves the IP address of the C2 server by generating a random subdomain of a built-in C2 server. It also maintains a backup option by retrieving the IP address of a C2 server from a Telegram channel.
“Gamaredon’s approach towards the C&C is rather unique, as it utilizes domains as a placeholder for the circulating IP addresses actually used as C2 servers.” continues the report. “Before attempting to contact a C2 server, the script checks the %TEMP% folder for an existing C2 configuration file with a meaningless name that’s hardcoded in the malware. This mechanism acts as a self-check for the malware, verifying whether it already infected the machine. If present, the current execution could simply be a scheduled execution triggered by the persistence mechanisms.”
Threat actors heavily obfuscated the orchestration component, it is constructed from a series of strings with character substitution obfuscation.
Check Point researchers reported possible infections also in the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
“LitterDrifter doesn’t rely on groundbreaking techniques and may appear to be a relatively unsophisticated piece of malware. However, this same simplicity is in line with its goals, mirroring Gamaredon’s overall approach.” concludes the report that also includes Indicators of Compromis. “This method has demonstrated considerable effectiveness, as evidenced by the group’s sustained activities in Ukraine.”
In June, Symantec researchers reported that in some cases, the cyberespionage group remained undetected in the target networks for three months.
Most of the attacks began in February/March 2023 and threat actors remained undetected in the target networks until May. In some attacks threat actors successfully breached the victims’ human resources departments in an attempt to gather intelligence on the personnel at the various organizations.
The threat actors focus on stealing sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more.
Symantec pointed out that the group has repeatedly refreshed its toolset to avoid detection, the researchers discovered new versions of known tools and observed the group using short-lived infrastructure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Gamaredon)
