A just lately found worm that researchers name LittleDrifter has been spreading over USB drives infecting programs in a number of international locations as a part of a marketing campaign from the Gamaredon state-sponsored espionage group.
Malware researchers noticed indications of compromise in america, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which means that the menace group misplaced management of LittleDrifter, which reached unintended targets.
In accordance with analysis from Examine Level, the malware is written in VBS and was designed to propagate by way of USB drives, as an evolution of Gamaredon’s USB PowerShell worm.
Gamaredon, often known as Shuckworm, Iron Tilden, and Primitive Bear is a cyber espionage menace group related to Russian that for at the very least a decade has focused organizations in Ukraine from a number of sectors, together with authorities, protection, and demanding infrastructure.
LitterDrifter particulars
LitterDrifter’s function is to determine communications with the menace group’s command and management (C2) server and to unfold over USB drives.
To realize its objective, the malware makes use of two separate modules, that are executed by the closely obfuscated VBS part trash.dll.
LitterDrifter and all its elements nest within the person’s “Favorites” listing and set up persistence by including scheduled duties and registry keys.
The module accountable for propagation to different programs screens for newly inserted USB drives and creates misleading LNK shortcuts together with a hidden copy of the “trash.dll.”
The malware makes use of the Home windows Administration Instrumentation (WMI) administration framework to determine goal drives and creates shortcuts with random names to execute malicious scripts.
The researchers clarify that Gamaredon makes use of domains as placeholder for the IP addresses the place the C2 servers are. From this angle, the menace group has a “fairly distinctive” strategy.
Earlier than attempting to contact the C2 server, the malware seems within the non permanent folder for a configuration file. If such a file doesn’t exist, LittleDrifter pings certainly one of Gamaredon’s domains utilizing a WMI question.
The reply to the question accommodates the area’s IP deal with, which is saved to a brand new configuration file.
Examine Level notes that each one domains utilized by the malware are registered beneath ‘REGRU-RU’ and use the ‘.ru’ top-level area, which is in keeping with previous experiences on Gamaredon exercise.
The standard lifespan of every IP deal with that acts as a C2 in LitterDrifter operations is about 28 hours, however the addresses might change a number of instances per day to evade detection and blocking.
The C2 might ship further payloads that LitterDrifter makes an attempt to decode and execute on the compromised system. CheckPoint clarifies that no further payloads have been downloaded generally, which can point out that the assaults are extremely focused.
As a backup choice, the malware may retrieve the C2 IP deal with from a Telegram channel.
LitterDrifter is probably going a part of the primary stage of an assault, attempting to determine persistence on the compromised system and ready for the C2 to ship new payloads that may additional the assault.
The malware is characterised by simplicity and doesn’t depend on novel strategies however it seems to be efficient.
Examine Level’s report offers hashes for nearly two dozen LittleDrifter samples in addition to domains related to Gamaredon’s infrastructure.