Russian cyber espionage group Gamaredon, associated with the Federal Security Service (FSB), has been employing a USB propagating worm named LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon’s latest tactics, labeled the group as engaging in large-scale campaigns followed by data collection efforts with espionage goals.
LitterDrifter spreads malware through connected USB drives and communicates with the threat actor’s command-and-control servers, suspected to be an evolution of a PowerShell-based USB worm disclosed by Symantec. The worm is designed to support a large-scale collection operation, leveraging simple yet effective techniques to reach a wide range of targets in the region.
The LitterDrifter worm has two main features: automatic spreading via USB drives and communication with the threat actor’s command-and-control servers. Gamaredon uses domains as placeholders for circulating IP addresses, a unique approach towards C&C.
The worm, written in VBS, includes a spreader module for distributing the malware on USB drives. It is named LitterDrifter because of the “trash.dll” component. Check Point also detected signs of possible infections outside Ukraine, including in the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
Gamaredon has been active this year, evolving its attack methods. In July 2023, the group’s rapid data exfiltration capabilities were revealed, with sensitive information transmitted within an hour of the initial compromise. The LitterDrifter worm is part of Gamaredon’s strategy to support large-scale collection operations, employing effective techniques for widespread targeting in the region.
Additionally, Ukraine’s National Cybersecurity Coordination Center (NCSCC) disclosed Russian state-sponsored attacks on European embassies, involving the exploitation of a recently disclosed WinRAR vulnerability. Russian intelligence services’ growing sophistication in exploiting vulnerabilities raises concerns, as evidenced by the increasing popularity of the CVE-2023-38831 vulnerability.