A Russia-linked threat actor knowns as Nodaria (UAC-0056) is using a new infostealer called “Graphiron” to steal data from organizations in Ukraine.

Active since at least March 2021, Nodaria is a relatively new cyber-espionage group that is primarily focused on Ukraine, but has been known to target entities in Kyrgyzstan and Georgia.

The group’s new tool, Graphiron, is written in Go programming language and is meant to collect a wide range of data from infected systems, including system information, credentials, screenshots, SSH keys, and files.

“The earliest evidence of Graphiron dates from October 2022. It continued to be used until at least mid-January 2023 and it is reasonable to assume that it remains part of the Nodaria toolkit,” Symantec's threat hunter team wrote in a report.

The malware has similar functionality with older Nodaria infostealers such as GraphSteel and GrimPlant, but is able to gather a larger amount of data.

According to Symantec, Graphiron is a two-stage malware consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).

The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check against a blacklist of malware analysis tools by checking for running processes, and if no blacklisted processes are found, it will download the payload from its C&C server.

Notably, the downloader is configured to run just once. If it fails to download and install the payload it won’t make further attempts nor send a heartbeat.

Typically, the group’s malware is delivered via spear-phishing emails. Custom tools used by Nodaria include:

• Elephant Dropper: A dropper

• Elephant Downloader: A downloader

• SaintBot: A downloader

• OutSteel: Information stealer

• GrimPlant (aka Elephant Implant): Collects system information and maintains persistence

• GraphSteel (aka Elephant Client): Information stealer

“While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine,” the report concludes.