Gamaredon's LittleDrifter USB malware spreads beyond Ukraine

Trending 2 weeks ago
  1. Home
  2. Technology
  3. Gamaredon's LittleDrifter USB malware spreads beyond Ukraine

Gamaredon's LittleDrifter USB malware spreads above Ukraine

A afresh apparent bastard that advisers alarm LittleDrifter has been overextension over USB drives infecting systems in assorted countries as allotment of a attack from the Gamaredon state-sponsored espionage group.

Malware advisers saw break of accommodation in the United States, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which suggests that the blackmail accumulation absent ascendancy of LittleDrifter, which accomplished adventitious targets.

LitterDrifter's apocalyptic spreadLitterDrifter's apocalyptic spread (Check Point)

According to analysis from Check Point, the malware is accounting in VBS and was advised to bear through USB drives, as an change of Gamaredon's USB PowerShell worm.

Gamaredon, additionally accepted as Shuckworm, Iron Tilden, and Primitive Bear is a cyber espionage blackmail accumulation associated with Russian that for at atomic a decade has targeted organizations in Ukraine from assorted sectors, including government, defense, and analytical infrastructure. 

LitterDrifter details

LitterDrifter's purpose is to authorize communications with the blackmail group's command and ascendancy (C2) server and to advance over USB drives.

To accomplish its goal, the malware uses two abstracted modules, which are accomplished by the heavily bleared VBS basic trash.dll.

LitterDrifter's beheading schemeLitterDrifter's beheading scheme (Check Point)

LitterDrifter and all its apparatus backup in the user's "Favorites" agenda and authorize chain by abacus appointed tasks and anthology keys.

The bore amenable for advancement to added systems monitors for anew amid USB drives and creates ambiguous LNK shortcuts alternating with a hidden archetype of the "trash.dll."

Infecting USB drivesInfecting USB drives (Check Point)

The malware uses the Windows Management Instrumentation (WMI) management framework to analyze ambition drives and creates shortcuts with accidental names to assassinate awful scripts.

The spreader bore codeThe spreader bore code (Check Point)

The advisers explain that Gamaredon uses domains as placeholder for the IP addresses area the C2 servers are. From this perspective, the blackmail accumulation has a "rather unique" approach.

Before aggravating to acquaintance the C2 server, the malware looks in the acting binder for a agreement file. If such a book does not exist, LittleDrifter pings one of Gamaredon's domains application a WMI query.

The acknowledgment to the concern contains the domain's IP address, which is adored to a new agreement file.

Check Point addendum that all domains acclimated by the malware are registered beneath 'REGRU-RU' and use the '.ru' top-level domain, which is connected with accomplished letters on Gamaredon activity.

The archetypal lifespan of anniversary IP abode that acts as a C2 in LitterDrifter operations is about 28 hours, but the addresses may change assorted times per day to balk apprehension and blocking.

The C2 may accelerate added payloads that LitterDrifter attempts to break and assassinate on the compromised system. CheckPoint clarifies that no added payloads were downloaded in best cases, which may announce that the attacks are awful targeted.

As a advancement option, the malware can additionally retrieve the C2 IP abode from a Telegram channel.

LitterDrifter is acceptable allotment of the aboriginal date of an attack, aggravating to authorize chain on the compromised arrangement and cat-and-mouse for the C2 to bear new payloads that would added the attack.

The malware is characterized by artlessness and does not await on atypical techniques but it appears to be effective.

Check Point's report provides hashes for about two dozen LittleDrifter samples as able-bodied as domains associated with Gamaredon's infrastructure.

Related Article

Russian military hackers target NATO fast reaction corps

Russian military hackers target NATO fast reaction corps

8 hours ago
23andMe updates user agreement to prevent data breach lawsuits

23andMe updates user agreement to prevent data breach lawsuits

9 hours ago
Windows 11 Notepad gets a built-in character counter, finally

Windows 11 Notepad gets a built-in character counter, finally

10 hours ago
WordPress fixes POP chain exposing websites to RCE attacks

WordPress fixes POP chain exposing websites to RCE attacks

10 hours ago
Russian pleads guilty to running crypto-exchange used by ransomware gangs

Russian pleads guilty to running crypto-exchange used by ransomware gangs

13 hours ago
UK and allies expose Russian FSB hacking group, sanction members

UK and allies expose Russian FSB hacking group, sanction members

13 hours ago

Trending

1. Brenda Lee
2. Pelicans
3. Alan Wake 2
4. Zappe
5. Hallmark
6. Copa America 2024
7. Steelers
8. Najee Harris
9. Bucks
10. Benny Blanco

Popular Article

Dell XPS 15 is still at its Black Friday and Cyber Monday price

Dell XPS 15 is still at its Black Friday and Cyber Monday price

20 hours ago
The Game Awards 2023: Here’s the complete list of winners

The Game Awards 2023: Here’s the complete list of winners

6 hours ago
Belgian man charged with smuggling sanctioned military tech to Russia and China

Belgian man charged with smuggling sanctioned military tech to Russia and China

23 hours ago
Microsoft's code name for 64-bit Windows was also a dig at rival Sun

Microsoft's code name for 64-bit Windows was also a dig at rival Sun

21 hours ago
Accelerating software delivery while keeping a close check

Accelerating software delivery while keeping a close check

20 hours ago
GitLab admits IT ineptitude in finance reporting is ongoing

GitLab admits IT ineptitude in finance reporting is ongoing

18 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.