A Russian state-affiliated hacker group, with aliases including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm, has expanded its cyber espionage efforts beyond Ukraine. According to Computing, this expansion is marked by the global spread of a USB-based malware called LitterDrifter.
Historically associated with Russia’s Federal Security Service by Ukraine’s Security Service, Gamaredon has been active since 2014. Their operations mainly targeted Ukrainian organizations to gather comprehensive data using various malware tools, including LitterDrifter, a noteworthy example. This specific malware is a computer worm developed in Visual Basic Scripting language.
The mechanics of LitterDrifter’s spread
LitterDrifter’s primary propagation involves spreading through USB drives, leading to the persistent infection of devices. These infected devices then communicate with servers controlled by Gamaredon. Check Point Research has observed that LitterDrifter has spread to several countries, including the USA, Vietnam, Chile, Poland, Germany, and Hong Kong.
LitterDrifter replicates rapidly, a characteristic typical of computer worms. Its self-replicating nature is similar to significant cyber threats like Stuxnet, but its USB-based activation sets it apart, similar to worms like NotPetya and WannaCry.
The spreading mechanism of LitterDrifter entails creating deceptive shortcut files (LNK) and hidden instances of a file named “trash.dll” on removable USB drives. It uses Windows Management Instrumentation to scan a computer’s logical drives, targeting removable USB drives with a null MediaType value. The worm then infiltrates subfolders on these drives, generating shortcuts that aid in disseminating the malware.
LitterDrifter’s global spread indicates a concerning escalation in cyber espionage capabilities, underscoring the ongoing threat posed by state-affiliated hacking groups. The ease with which this malware spreads via USB drives emphasizes the importance of robust cybersecurity practices and awareness, particularly for organizations handling sensitive data. As cyber threats continue to evolve, staying ahead of such risks is crucial for maintaining global cybersecurity integrity.
