LitterDrifter is a Russian-made USB worm spreading worldwide

A Russian-state hacking group often known as Gamaredon has created a rouge USB worm named LitterDrifter. Distinctive in its deal with Ukraine, Gamaredon has been actively focusing on authorities methods within the area to realize strategic insights. Cyber risk intelligence firm Test Level Analysis has uncovered that LitterDrifter has now unfold its malicious attain to international locations past its meant scope.

Understanding the mechanics of LitterDrifter requires perception into self-propagating worms and their use of USB drives. One of these malware possesses the flexibility to unfold autonomously from one pc to a different with out human intervention. LitterDrifter, written in Visible Fundamental, operates with two main capabilities: unfold itself to drives and set up a connection to a command and management (C2) server.

The malware’s performance is discreetly embedded inside a file labeled “trash.dll,” a seemingly harmless working system file. This file homes a foremost operate and two modules: a spreader and a C2 module. To evade detection by safety instruments, the malicious code is obfuscated, with the primary operate chargeable for deobfuscating the code and triggering its execution.

LitterDrifter, a USB worm created in Russia, has prolonged its attain past Ukraine

The spreader module operates by recursively accessing subfolders in every drive, creating LNK decoy shortcuts, and distributing a hidden copy of the “trash.dll” file. The malware makes use of LNK recordsdata as decoy shortcuts to trick customers into executing the malicious payload (“trash.dll”). Using Windows Administration Instrumentation (WMI), the module identifies detachable USB drives, enabling the worm to propagate. The spreader generates extra decoy LNK recordsdata with random names for every detected logical drive and executes the malicious “trash.dll” payload.

Gamaredon’s C&C technique entails utilizing domains as proxies for IP addresses. Earlier than contacting a Gamaredon server, the C2 module checks for a C2 configuration file. If absent, it pings considered one of Gamaredon’s domains to extract the IP, creating a brand new configuration file. The C2 communication features a constructed URL and a customized user-agent with particulars in regards to the contaminated machine. A fail counter determines the related C2 technique, equivalent to resolving an embedded area or connecting to a Telegram backup channel. Upon discovering a payload, LitterDrifter makes an attempt to decode and execute it.

Whereas these strategies are usually not groundbreaking, they undeniably show efficient. LitterDrifter has seen a rise in current exercise, granting Gamaredon sustained entry to info in Ukraine. Regardless of Gamaredon’s deal with Ukraine, the worm’s effectiveness has resulted in its propagation past the preliminary goal. International locations just like the USA, Vietnam, Chile, Poland, and Germany have reported incidents of an infection. This phenomenon isn’t unusual for worm malware, highlighting the efficiency and attain of the sort of cyber-attack.