Newsletter
A Russian-state hacking group known as Gamaredon has created a rouge USB worm named LitterDrifter. Distinctive in its focus on Ukraine, Gamaredon has been actively targeting government systems in the region to gain strategic insights. Cyber threat intelligence company Check Point Research has uncovered that LitterDrifter has now spread its malicious reach to countries beyond its intended scope.
Understanding the mechanics of LitterDrifter requires insight into self-propagating worms and their use of USB drives. This type of malware possesses the ability to spread autonomously from one computer to another without human intervention. LitterDrifter, written in Visual Basic, operates with two primary functions: spread itself to drives and establish a connection to a command and control (C2) server.
The malware’s functionality is discreetly embedded within a file labeled “trash.dll,” a seemingly innocent operating system file. This file houses a main function and two modules: a spreader and a C2 module. To evade detection by security tools, the malicious code is obfuscated, with the main function responsible for deobfuscating the code and triggering its execution.
LitterDrifter, a USB worm created in Russia, has extended its reach beyond Ukraine
The spreader module operates by recursively accessing subfolders in each drive, creating LNK decoy shortcuts, and distributing a hidden copy of the “trash.dll” file. The malware uses LNK files as decoy shortcuts to trick users into executing the malicious payload (“trash.dll”). Utilizing Windows Management Instrumentation (WMI), the module identifies removable USB drives, enabling the worm to propagate. The spreader generates more decoy LNK files with random names for each detected logical drive and executes the malicious “trash.dll” payload.
Gamaredon’s C&C strategy involves using domains as proxies for IP addresses. Before contacting a Gamaredon server, the C2 module checks for a C2 configuration file. If absent, it pings one of Gamaredon’s domains to extract the IP, creating a new configuration file. The C2 communication includes a constructed URL and a custom user-agent with details about the infected machine. A fail counter determines the relevant C2 method, such as resolving an embedded domain or connecting to a Telegram backup channel. Upon discovering a payload, LitterDrifter attempts to decode and execute it.
While these methods are not groundbreaking, they undeniably prove effective. LitterDrifter has seen an increase in recent activity, granting Gamaredon sustained access to information in Ukraine. Despite Gamaredon’s focus on Ukraine, the worm’s effectiveness has resulted in its propagation beyond the initial target. Countries like the USA, Vietnam, Chile, Poland, and Germany have reported incidents of infection. This phenomenon is not uncommon for worm malware, highlighting the potency and reach of this type of cyber-attack.