Russian USB malware spreads worldwide, past its Ukraine goals

In a nutshell: USB worms are historically designed to spread anywhere they could, hopping on any removable garage device they can find. When cyber-espionage and cyber-war input the fray, this spreading functionality can paintings against the malware's authentic reason.

Check Point Research recently determined and analyzed a new worm with USB spreading abilities, a seemingly "simpler" malware created through Gamaredon, a famous group running with the Russian Federal Security Service (FSB). Also known as Primitive Bear, ACTINIUM, and Shuckworm, Gamerdon is an unusual participant inside the Russian espionage atmosphere, which targets almost solely at compromising Ukraine objectives.

Check Point said that while other Russian cyber-espionage teams prefer to disguise their presence as tons as they could, Gamaredon is understood for its massive-scale campaigns at the same time as nonetheless that specialize in regional targets. LitterDrifter, the organization's lately determined trojan horse, seems to adhere to Gamaredon's standard behavior as it has possibly long past manner beyond its unique goals.

LitterDrifter is a malicious program written inside the a good deal-maligned VBScript language (VBS) with essential functionalities: "automatic" spreading over USB flash drives, and taking note of far flung orders coming from the creators' command&manage (C2) servers. The malware appears to be an evolution of Gamaredon's previous efforts with USB propagation, Check Point researchers defined.

LitterDrifter employs two separate modules to attain its desires, which might be carried out via a "heavily obfuscated" orchestrator VBS component found in the trash.Dll library. The malicious program tries to set up persistence on Windows systems through adding new scheduled responsibilities and Registry keys, exploiting the Windows Management Instrumentation (WMI) framework to discover USB targets and create shortcuts with random names.

The worm attempts to infect a USB goal as quickly because the flash pressure is attached to the device. After contamination, LitterDrifter tries to contact a C2 server hidden behind a network of dynamic IP addresses which usually last as long as 28 hours. Once a connection has been hooked up, LitterDrifter can down load extra payloads, decode and subsequently execute them on a compromised gadget.

Check Point Research said that no further payloads have been downloaded throughout the analysis task, which means that LitterDrifter is probably the first stage of a greater complicated, ongoing assault. The majority of LitterDrifter infections were determined in Ukraine, however the worm turned into additionally diagnosed on PCs placed in the US, Germany, Vietnam, Chile, Poland. Gamaredon has likely misplaced control of its computer virus, which in the end unfold to unintentional targets earlier than the full assault became deployed.