Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russia Uses Upgraded USB Worm for Espionage Against Kyiv

'LitterDrifter' Worm Is Designed to Support Large-Scale Collection Operation
Russia Uses Upgraded USB Worm for Espionage Against Kyiv
Gamaredon is using a USB-propagated worm to spy on Ukrainian organizations. (Image: Shutterstock)

A hacking group linked to the Russian domestic intelligence agency the FSB and known as Gamaredon is deploying a worm dubbed "LitterDrifter" that is spread through thumb drives to attack Ukrainian organizations.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Cybersecurity company Check Point said the worm was designed to support a large-scale cyberespionage operation. "It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region."

The group, which has been operational since 2013 or 2014 and is also known as Armageddon, consists of regular officers of the FSB and some former law enforcement officers of Ukraine, the Security Service of Ukraine reported in 2021. It has a reputation for persistent campaigns although not necessarily high levels of technical ability (see: Gamaredon Hackers Amplified Hacks Amid Kyiv Counteroffensive).

Check Point echoes that assessment, writing that LitterDrifter "doesn't rely on groundbreaking techniques and may appear to be a relatively unsophisticated piece of malware."

Still, simple can be effective, as is the case with this worm, the researchers wrote.

LitterDrifter has two primary functions: automatic propagation through USB drives and communication with the threat actor's command-and-control servers. The researchers suspect the worm is a variant of a PowerShell-based USB worm likely crafted to reach air-gapped machines, as disclosed by Symantec in June.

The spreader module is written in VBS. It conceals the worm as a hidden file in a USB drive, accompanied by a decoy LNK file with random names. The malware earns its name from the initial orchestration component, trash.dll.

Gamaredon has a unique approach to command and control, using domains as a placeholder for the rotating IP addresses it actually uses to control the worm. LitterDrifter can also connect to a C2 server address extracted from a Telegram channel.

Signs of potential LitterDrifter USB worm infections outside Ukraine have also surfaced, said Check Point, which identified VirusTotal submissions from the United States, Vietnam, Chile, Poland, Germany and Hong Kong.

Gamaredon has been active throughout the year. Ukrainian cyber defenders in July spotted an info-stealer campaign infesting thousands of systems belonging to Ukrainian government agencies.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.