Russian cyber espionage group Gamaredon has launched a large-scale intelligence gathering operation targeting entities in Ukraine that uses a new self-propagating USB worm called LitterDrifter.
Gamaredon, also known as Primitive Bear, Actinium, and Shuckworm, is believed to be a cyber espionage unit of Russia’s Federal Security Service (FSB) focused almost exclusively on Ukrainian targets.
Written in VBS, the LitterDrifter worm comes with two main functionalities: automatic spreading over USB drives, and establishing a command-and-control (C2) channel to Gamaredon’s wide C2 infrastructure. The malware is believed to be the evolution of a PowerShell-based USB worm previously linked to Gamaredon.
The malware implements two modules - a spreader module, which distributes the malware in the system and spreads it to other environments, and a C2 module tasked with retrieving a command and control server IP address by generating a random subdomain of a built-in C2 server. It also maintains a backup option to retrieve a C2 IP address from a Telegram channel. Its main purpose is to establish communication with the attacker C2 server and to execute incoming payloads.
“Gamaredon’s approach towards the C&C is rather unique, as it utilizes domains as a placeholder for the circulating IP addresses actually used as C2 servers,” Check Point researchers wrote in a technical report.
While this Gamaredon campaign appears to target primarily Ukrainian entities, the researchers note that they have observed indications of possible LitterDrifter infections in various countries like the US, Vietnam, Chile, Poland, Germany, and Hong Kong.
“Comprised of two primary components – a spreading module and a C2 module – it’s clear that LitterDrifter was designed to support a large-scale collection operation. It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region,” the report concludes. “LitterDrifter doesn’t rely on groundbreaking techniques and may appear to be a relatively unsophisticated piece of malware. However, this same simplicity is in line with its goals, mirroring Gamaredon’s overall approach. This method has demonstrated considerable effectiveness, as evidenced by the group’s sustained activities in Ukraine.”
Earlier this year, the Computer Emergency Response Team of Ukraine (CERT-UA) published a technical analysis of Gamaredon attacks against Ukraine, according to which, the group may have infected several thousands of government computers as part of the group’s operations since the start of Russia’s invasion.