Russian cyber espionage actors affiliated with the Federal Safety Service (FSB) have been noticed utilizing a USB propagating worm referred to as LitterDrifter in assaults focusing on Ukrainian entities.
Test Level, which detailed Gamaredon’s (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) newest techniques, branded the group as participating in large-scale campaigns which are adopted by “knowledge assortment efforts geared toward particular targets, whose choice is probably going motivated by espionage targets.”
The LitterDrifter worm packs in two foremost options: mechanically spreading the malware by way of linked USB drives in addition to speaking with the menace actor’s command-and-control (C&C) servers. It is also suspected to be an evolution of a PowerShell-based USB worm that was beforehand disclosed by Symantec in June 2023.
Written in VBS, the spreader module is answerable for distributing the worm as a hidden file in a USB drive along with a decoy LNK that is assigned random names. The malware will get its identify LitterDrifter owing to the truth that the preliminary orchestration element is called “trash.dll.”
“Gamaredon’s strategy in the direction of the C&C is reasonably distinctive, because it makes use of domains as a placeholder for the circulating IP addresses really used as C2 servers,” Test Level defined.
LitterDrifter can also be able to connecting to a C&C server extracted from a Telegram channel, a tactic it has repeatedly put to make use of since no less than the beginning of the 12 months.
The cybersecurity agency stated it additionally detected indicators of doable an infection exterior of Ukraine primarily based on VirusTotal submissions from the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
Gamaredon has had an energetic presence this 12 months, whereas repeatedly evolving its assault strategies. In July 2023, the adversary’s speedy knowledge exfiltration capabilities got here to mild, what with the menace actor transmitting delicate data inside an hour of the preliminary compromise.
“It is clear that LitterDrifter was designed to assist a large-scale assortment operation,” the corporate concluded. “It leverages easy, but efficient strategies to make sure it will probably attain the widest doable set of targets within the area.”
The event comes as Ukraine’s Nationwide Cybersecurity Coordination Middle (NCSCC) revealed assaults orchestrated by Russian state-sponsored hackers focusing on embassies throughout Europe, together with Italy, Greece, Romania, and Azerbaijan.
The intrusions, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), contain the exploitation of the not too long ago disclosed WinRAR vulnerability (CVE-2023-38831) by way of benign-looking lures that declare to supply BMWs on the market, a theme it has employed previously.
The assault chain commences with sending victims phishing emails containing a hyperlink to a specifically crafted ZIP file that, when launched, exploits the flaw to retrieve a PowerShell script from a distant server hosted on Ngrok.
“A regarding development of exploiting CVE-2023-38831 vulnerability by Russian intelligence providers hacking teams demonstrates its rising recognition and class,” NCSCC stated.
Earlier this week, the Pc Emergency Response Crew of Ukraine (CERT-UA) unearthed a phishing marketing campaign that propagates malicious RAR archives that masquerades as a PDF doc from the Safety Service of Ukraine (SBU) however, in actuality, is an executable that results in the deployment of Remcos RAT.
CERT-UA is monitoring the exercise underneath the moniker UAC-0050, which was additionally linked to a different spate of cyber assaults geared toward state authorities within the nation to ship Remcos RAT in February 2023.
