GOING GLOBAL — USB worm unleashed by Russian state hackers spreads worldwide LitterDrifter’s means of self-propagation are simple. So why is it spreading so widely?
Dan Goodin – Nov 22, 2023 12:02 am UTC EnlargeGetty Images reader comments 47 with
A group of Russian-state hackers known for almost exclusively targeting Ukranian entities has branched out in recent months either accidentally or purposely by allowing USB-based espionage malware to infect a variety of organizations in other countries.
The groupknown by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckwormhas been active since at least 2014 and has been attributed to Russias Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn’t care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.
One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command and control servers.
Gamaredon continues to focus on [a] wide variety [of] Ukrainian targets, but due to the nature of the USB worm, we see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and Germany, Check Point researchers reported recently. In addition, weve observed evidence of infections in Hong Kong. All this might indicate that much like other USB worms, LitterDrifter [has] spread beyond its intended targets. Advertisement Enlarge / Virus Total Submissions of LitterDrifterCheck Point Research
The image above, tracking submissions of LitterDrifter to the Alphabet-owned VirusTotal service, indicates that the Gamaredon malware may be infecting targets well outside the borders of Ukraine. VirusTotal submissions usually come from people or organizations that encounter unfamiliar or suspicious-looking software on their networks and want to know if its malicious. The data suggests that the number of infections in the US, Vietnam, Chile, Poland, and Germany combined may be roughly half of those hitting organizations inside Ukraine. Enlarge / The execution flow of LitterDrifter.Check Point Research
Worms are forms of malware that spread without requiring a user to take any action. As self-propagating software, worms are notorious for explosive growth at exponential scales. Stuxnet, the worm created by the US National Security Agency and its counterpart from Israel, has been a cautionary tale for spy agencies. Its creators intended Stuxnet to infect only a relatively small number of Iranian targets participating in that countrys uranium enrichment program. Instead, Stuxnet spread far and wide, infecting an estimated 100,000 computers worldwide. Non-USB-activated worms such as NotPetya and WannaCry have infected even more.
LitterDrifter provides a similar means for spreading far and wide. Check Point researchers explained: The core essence of the Spreader module lies in recursively accessing subfolders in each drive and creating LNK decoy shortcuts, alongside a hidden copy of the trash.dll file. Enlarge / trash.dll is distributed as a hidden file in a USB drive together with a decoy LNK.
Upon execution, the module queries the computers logical drives using Windows Management Instrumentation (WMI), and searches for logical disks with theMediaTypevalue set tonull, a method often used to identify removable USB drives. Enlarge / LitterDrifters spreader component.Check Point Research
For each logical drive detected, the spreader invokes thecreateShortcutsInSubfoldersfunction. Within this function, it iterates the subfolders of a provided folder up to a depth of 2.
For every subfolder, it employs theCreateShortcutfunction as part of the Create LNK action, which is responsible for generating a shortcut with specific attributes. These shortcuts are LNK files that are given random names chosen from an array in the code. This is an example of the lures names from an array in one of the samples that we investigated:(“Bank_acc?unt”, “????????a”, “Bank_acc?unt”, “???????a”, “c?mpromising_evidence”). The LNK files use wscript.exe **** to execute trash.dll with specified arguments” “”trash.dll”” /webm //e:vbScript //b /wm /cal “. In addition to generating the shortcut, the function also creates a hidden copy of trash.dll in the subfolder. Enlarge / The function in the Spreader component used to iterate subfolders.Check Point Research
The techniques described are relatively simple, but as evidenced, theyre plenty effective. So much so that they have allowed it to break out of its previous Ukrainian-only targeting domain to a much bigger realm. People who want to know if theyve been infected can check the Check Point posts indicators of compromise section, which lists file hashes, IP addresses, and domains used by the malware. Advertisement
Comprised of two primary components-a spreading module and a C2 moduleits clear that LitterDrifter was designed to support a large-scale collection operation, Check Point researchers wrote. It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region. reader comments 47 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Related Stories Today on Ars
