Targeted Attacks Witness Deployment of LitterDrifter USB Worm by Russian Cyber Espionage Group

Russian cyber espionage groups with ties to the Federal Security Service (FSB) have been deploying a USB-spreading worm known as LitterDrifter to target Ukrainian organizations. Check Point's analysis reveals the group, also known as Gamaredon (along with aliases Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder), orchestrating large-scale campaigns followed by targeted data collection, likely driven by espionage objectives.

LitterDrifter, believed to be an advanced iteration of a PowerShell-based USB worm previously uncovered by Symantec in June 2023, exhibits two core capabilities: automatic propagation through connected USB drives and communication with command-and-control (C&C) servers. This worm, written in VBS, distributes itself as a concealed file on USB drives, accompanied by a decoy LNK file with randomized names. It derives its name from the "trash.dll" file used in its initial setup process.

What sets Gamaredon apart is its unique approach to C&C communication, utilizing domains as placeholders for the actual circulating IP addresses of its C2 servers. Additionally, LitterDrifter has been observed to extract C&C server details from a Telegram channel, a method it has consistently employed since the beginning of the year.

Check Point's research also indicates potential infections beyond Ukraine, with VirusTotal submissions tracing back to countries including the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.

Throughout this year, the Gamaredon group, known for its evolving attack methodologies, demonstrated rapid data exfiltration capabilities, transmitting sensitive information within an hour of breaching a system. Designed for large-scale information gathering, LitterDrifter, a tool used by Gamaredon, employs straightforward yet effective methods to target a broad range of entities in the region.

"It's evident that LitterDrifter was crafted to aid extensive data collection efforts," the report stated. "It utilizes basic, effective strategies to maximize its reach across potential targets in the area."

This revelation aligns with recent disclosures by Ukraine's National Cybersecurity Coordination Center (NCSCC) regarding Russian state-sponsored hackers targeting European embassies in countries such as Italy, Greece, Romania, and Azerbaijan. These attacks, linked to APT29 (also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), involve exploiting the newly reported WinRAR vulnerability (CVE-2023-38831). The attackers use deceptive lures resembling BMW sales offers, a tactic previously employed by the group.

The attack begins with phishing emails containing links to ZIP files, which exploit the WinRAR vulnerability to download a PowerShell script from a server hosted on Ngrok.

"The increasing use of the CVE-2023-38831 vulnerability by Russian intelligence-backed hacking groups is a worrying sign of their growing sophistication," NCSCC stated.

Earlier in the week, Ukraine's Computer Emergency Response Team (CERT-UA) identified a phishing campaign spreading malicious RAR archives disguised as PDF documents from the Security Service of Ukraine (SBU). In reality, these archives deploy the Remcos RAT. CERT-UA is monitoring this activity under the identifier UAC-0050, which was previously associated with attacks on Ukrainian state authorities using Remcos RAT in February 2023.

Stay informed with the latest insights by following us on Twitter and LinkedIn.