Russian cyber espionage actors affiliated with the Federal Safety Service (FSB) have been noticed utilizing a USB propagating worm referred to as LitterDrifter in assaults focusing on Ukrainian entities.
Examine Level, which detailed Gamaredon’s (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) newest techniques, branded the group as participating in large-scale campaigns which can be adopted by “knowledge assortment efforts aimed toward particular targets, whose choice is probably going motivated by espionage targets.”
The LitterDrifter worm packs in two primary options: mechanically spreading the malware through linked USB drives in addition to speaking with the menace actor’s command-and-control (C&C) servers. It is also suspected to be an evolution of a PowerShell-based USB worm that was beforehand disclosed by Symantec in June 2023.
Written in VBS, the spreader module is liable for distributing the worm as a hidden file in a USB drive along with a decoy LNK that is assigned random names. The malware will get its title LitterDrifter owing to the truth that the preliminary orchestration element is known as “trash.dll.”
“Gamaredon’s method in the direction of the C&C is somewhat distinctive, because it makes use of domains as a placeholder for the circulating IP addresses really used as C2 servers,” Examine Level defined.
The cybersecurity agency stated it additionally detected indicators of doable an infection exterior of Ukraine primarily based on VirusTotal submissions from the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
Gamaredon has had an energetic presence this 12 months, whereas constantly evolving its assault strategies. In July 2023, the adversary’s fast knowledge exfiltration capabilities got here to gentle, what with the menace actor transmitting delicate data inside an hour of the preliminary compromise.
“It is clear that LitterDrifter was designed to assist a large-scale assortment operation,” the corporate concluded. “It leverages easy, but efficient strategies to make sure it will probably attain the widest doable set of targets within the area.”
The event comes as Ukraine’s Nationwide Cybersecurity Coordination Heart (NCSCC) revealed assaults orchestrated by Russian state-sponsored hackers focusing on embassies throughout Europe, together with Italy, Greece, Romania, and Azerbaijan.
The intrusions, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), contain the exploitation of the just lately disclosed WinRAR vulnerability (CVE-2023-38831) through benign-looking lures that declare to supply BMWs on the market, a theme it has employed up to now.
The assault chain commences with sending victims phishing emails containing a hyperlink to a specifically crafted ZIP file that, when launched, exploits the flaw to retrieve a PowerShell script from a distant server hosted on Ngrok.
“A regarding pattern of exploiting CVE-2023-38831 vulnerability by Russian intelligence companies hacking teams demonstrates its rising recognition and class,” NCSCC stated.
Earlier this week, the Laptop Emergency Response Crew of Ukraine (CERT-UA) unearthed a phishing marketing campaign that propagates malicious RAR archives that masquerades as a PDF doc from the Safety Service of Ukraine (SBU) however, in actuality, is an executable that results in the deployment of Remcos RAT.
CERT-UA is monitoring the exercise beneath the moniker UAC-0050, which was additionally linked to a different spate of cyber assaults aimed toward state authorities within the nation to ship Remcos RAT in February 2023.