Gamaredon's LittleDrifter USB malware spreads beyond Ukraine

Trending 2 weeks ago

Gamaredon's LittleDrifter USB malware spreads above Ukraine

A afresh apparent bastard that advisers alarm LittleDrifter has been overextension over USB drives infecting systems in assorted countries as allotment of a attack from the Gamaredon state-sponsored espionage group.

Malware advisers saw break of accommodation in the United States, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which suggests that the blackmail accumulation absent ascendancy of LittleDrifter, which accomplished adventitious targets.

LitterDrifter's apocalyptic spreadLitterDrifter's apocalyptic spread (Check Point)

According to analysis from Check Point, the malware is accounting in VBS and was advised to bear through USB drives, as an change of Gamaredon's USB PowerShell worm.

Gamaredon, additionally accepted as Shuckworm, Iron Tilden, and Primitive Bear is a cyber espionage blackmail accumulation associated with Russian that for at atomic a decade has targeted organizations in Ukraine from assorted sectors, including government, defense, and analytical infrastructure. 

LitterDrifter details

LitterDrifter's purpose is to authorize communications with the blackmail group's command and ascendancy (C2) server and to advance over USB drives.

To accomplish its goal, the malware uses two abstracted modules, which are accomplished by the heavily bleared VBS basic trash.dll.

LitterDrifter's beheading schemeLitterDrifter's beheading scheme (Check Point)

LitterDrifter and all its apparatus backup in the user's "Favorites" agenda and authorize chain by abacus appointed tasks and anthology keys.

The bore amenable for advancement to added systems monitors for anew amid USB drives and creates ambiguous LNK shortcuts alternating with a hidden archetype of the "trash.dll."

Infecting USB drivesInfecting USB drives (Check Point)

The malware uses the Windows Management Instrumentation (WMI) management framework to analyze ambition drives and creates shortcuts with accidental names to assassinate awful scripts.

The spreader bore codeThe spreader bore code (Check Point)

The advisers explain that Gamaredon uses domains as placeholder for the IP addresses area the C2 servers are. From this perspective, the blackmail accumulation has a "rather unique" approach.

Before aggravating to acquaintance the C2 server, the malware looks in the acting binder for a agreement file. If such a book does not exist, LittleDrifter pings one of Gamaredon's domains application a WMI query.

The acknowledgment to the concern contains the domain's IP address, which is adored to a new agreement file.

Check Point addendum that all domains acclimated by the malware are registered beneath 'REGRU-RU' and use the '.ru' top-level domain, which is connected with accomplished letters on Gamaredon activity.

The archetypal lifespan of anniversary IP abode that acts as a C2 in LitterDrifter operations is about 28 hours, but the addresses may change assorted times per day to balk apprehension and blocking.

The C2 may accelerate added payloads that LitterDrifter attempts to break and assassinate on the compromised system. CheckPoint clarifies that no added payloads were downloaded in best cases, which may announce that the attacks are awful targeted.

As a advancement option, the malware can additionally retrieve the C2 IP abode from a Telegram channel.

LitterDrifter is acceptable allotment of the aboriginal date of an attack, aggravating to authorize chain on the compromised arrangement and cat-and-mouse for the C2 to bear new payloads that would added the attack.

The malware is characterized by artlessness and does not await on atypical techniques but it appears to be effective.

Check Point's report provides hashes for about two dozen LittleDrifter samples as able-bodied as domains associated with Gamaredon's infrastructure.