Russian cyber espionage actors linked to the Federal Security Service (FSB) have been identified using a USB-propagating worm named LitterDrifter in targeted attacks against Ukrainian entities, according to cybersecurity company Check Point.
The group, known as Gamaredon (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder), has been characterized by Check Point as conducting extensive campaigns followed by data collection efforts with espionage motives.
LitterDrifter possesses two primary functionalities: it autonomously spreads malware through connected USB drives and communicates with the threat actor’s command-and-control (C&C) servers. Suspected to be an evolution of a PowerShell-based USB worm disclosed by Symantec in June 2023, the worm’s spreader module, written in VBS, distributes the malware as a hidden file in a USB drive alongside a randomly named decoy LNK. The initial orchestration component is named “trash.dll,” giving rise to the name LitterDrifter.
Gamaredon adopts a unique approach to the C&C, using domains as placeholders for the actual IP addresses of the C2 servers. LitterDrifter is also capable of connecting to a C&C server extracted from a Telegram channel, a tactic employed since at least the beginning of the year.
Check Point noted signs of potential infections beyond Ukraine, with VirusTotal submissions indicating activity in the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
Throughout the year, Gamaredon has maintained an active presence, continually evolving its attack methods. In July 2023, the group’s rapid data exfiltration capabilities were highlighted when sensitive information was transmitted within an hour of the initial compromise.
The revelation coincides with Ukraine’s National Cybersecurity Coordination Center (NCSCC) disclosing attacks by Russian state-sponsored hackers targeting European embassies, including those in Italy, Greece, Romania, and Azerbaijan. Attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), these intrusions exploited the recently disclosed WinRAR vulnerability (CVE-2023-38831) using lures offering BMWs for sale.
The attack chain involves phishing emails directing victims to a crafted ZIP file exploiting the WinRAR flaw to retrieve a PowerShell script from a remote server on Ngrok.
The NCSCC highlighted the growing popularity and sophistication of exploiting the CVE-2023-38831 vulnerability by Russian intelligence services.
Additionally, Ukraine’s Computer Emergency Response Team (CERT-UA) uncovered a phishing campaign this week utilizing malicious RAR archives posing as a PDF document from the Security Service of Ukraine (SBU). In reality, these archives contain an executable leading to the deployment of the Remcos RAT. CERT-UA is tracking this activity under the moniker UAC-0050, previously linked to cyber attacks targeting state authorities in February 2023 to deliver the Remcos RAT.
CyberSec84 | Cybersecurity news. 
Leave a comment