A just lately found worm that researchers name LittleDrifter has been spreading over USB drives infecting techniques in a number of international locations as a part of a marketing campaign from the Gamaredon state-sponsored espionage group.
Malware researchers noticed indications of compromise in the US, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which means that the menace group misplaced management of LittleDrifter, which reached unintended targets.
Based on analysis from Verify Level, the malware is written in VBS and was designed to propagate via USB drives, as an evolution of Gamaredon’s USB PowerShell worm.
Gamaredon, also called Shuckworm, Iron Tilden, and Primitive Bear is a cyber espionage menace group related to Russian that for no less than a decade has focused organizations in Ukraine from a number of sectors, together with authorities, protection, and important infrastructure.
LitterDrifter particulars
LitterDrifter’s objective is to ascertain communications with the menace group’s command and management (C2) server and to unfold over USB drives.
To attain its aim, the malware makes use of two separate modules, that are executed by the closely obfuscated VBS element trash.dll.
LitterDrifter and all its elements nest within the consumer’s “Favorites” listing and set up persistence by including scheduled duties and registry keys.
The module accountable for propagation to different techniques displays for newly inserted USB drives and creates misleading LNK shortcuts together with a hidden copy of the “trash.dll.”
The malware makes use of the Home windows Administration Instrumentation (WMI) administration framework to establish goal drives and creates shortcuts with random names to execute malicious scripts.
The researchers clarify that Gamaredon makes use of domains as placeholder for the IP addresses the place the C2 servers are. From this angle, the menace group has a “moderately distinctive” strategy.
Earlier than making an attempt to contact the C2 server, the malware seems to be within the non permanent folder for a configuration file. If such a file doesn’t exist, LittleDrifter pings one in all Gamaredon’s domains utilizing a WMI question.
The reply to the question incorporates the area’s IP tackle, which is saved to a brand new configuration file.
Verify Level notes that every one domains utilized by the malware are registered below ‘REGRU-RU’ and use the ‘.ru’ top-level area, which is according to previous experiences on Gamaredon exercise.
The everyday lifespan of every IP tackle that acts as a C2 in LitterDrifter operations is about 28 hours, however the addresses could change a number of instances per day to evade detection and blocking.
The C2 could ship extra payloads that LitterDrifter makes an attempt to decode and execute on the compromised system. CheckPoint clarifies that no extra payloads have been downloaded most often, which can point out that the assaults are extremely focused.
As a backup choice, the malware also can retrieve the C2 IP tackle from a Telegram channel.
LitterDrifter is probably going a part of the primary stage of an assault, making an attempt to ascertain persistence on the compromised system and ready for the C2 to ship new payloads that will additional the assault.
The malware is characterised by simplicity and doesn’t depend on novel strategies however it seems to be efficient.
Verify Level’s report offers hashes for nearly two dozen LittleDrifter samples in addition to domains related to Gamaredon’s infrastructure.