The Russian cyber espionage group Gamaredon, affiliated with Russia’s Federal Security Service (FSB), has been observed using a worm called LitterDrifter, which spreads through USB devices in targeted attacks against Ukrainian entities. This tactic signifies an evolution in the group’s attack methodologies, known for their large-scale campaigns followed by efforts to collect targeted data, likely motivated by espionage objectives.

image

The LitterDrifter worm stands out for two main characteristics: its automatic spread via connected USB drives and communication with the threat actor’s command and control (C&C) servers. It is suspected to be an evolution of a PowerShell-based USB worm previously disclosed by Symantec in June 2023. Written in VBS, the propagation module is responsible for distributing the worm as a hidden file on a USB drive along with a deceptive LNK shortcut assigned random names.

Gamaredon’s approach to C&C servers is rather unique, using domains as placeholders for circulating IP addresses that are actually used as C2 servers. LitterDrifter is also capable of connecting to a C&C server retrieved from a Telegram channel, a tactic repeatedly employed since the beginning of the year. Symantec has detected signs of possible infections outside Ukraine, with VirusTotal submissions from the United States, Vietnam, Chile, Poland, Germany, and Hong Kong.

Gamaredon has had an active presence this year, continuously evolving its attack methods. In July 2023, the opponent’s rapid data exfiltration capabilities came to light, with the transfer of sensitive information within an hour of the initial compromise. “It’s clear that the LitterDrifter worm is designed to support a large-scale collection operation, and Gamaredon is an active part of it,” the company concluded. “It leverages simple yet effective techniques to target the widest possible range of objectives in the region.”


ATT@CK Tecniques

Domain ID   Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains Gamaredon Group has registered multiple domains to facilitate payload staging and C2.
Enterprise T1071 .001 Application Layer Protocol: Web Protocols Gamaredon Group has used HTTP and HTTPS for C2 communications.
Enterprise T1119   Automated Collection Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.
Enterprise T1020   Automated Exfiltration Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell Gamaredon Group has used obfuscated PowerShell scripts for staging.
    .003 Command and Scripting Interpreter: Windows Command Shell Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group’s backdoor malware has also been written to a batch file.
    .005 Command and Scripting Interpreter: Visual Basic Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.
Enterprise T1485   Data Destruction Gamaredon Group has used tools to delete files and folders from victims’ desktops and profiles.
Enterprise T1005   Data from Local System Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.
Enterprise T1039   Data from Network Shared Drive Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.
Enterprise T1025   Data from Removable Media A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.
Enterprise T1491 .001 Defacement: Internal Defacement Gamaredon Group has left taunting images and messages on the victims’ desktops as proof of system access.
Enterprise T1140   Deobfuscate/Decode Files or Information Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.
Enterprise T1568   Dynamic Resolution Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.
Enterprise T1041   Exfiltration Over C2 Channel A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.
Enterprise T1083   File and Directory Discovery Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.
Enterprise T1564 .003 Hide Artifacts: Hidden Window Gamaredon Group has used hidcon to run batch files in a hidden console window.
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.
Enterprise T1070 .004 Indicator Removal: File Deletion Gamaredon Group tools can delete files used during an operation.
Enterprise T1105   Ingress Tool Transfer Gamaredon Group has downloaded additional malware and tools onto a compromised host.
Enterprise T1559 .001 Inter-Process Communication: Component Object Model Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.
Enterprise T1534   Internal Spearphishing Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location Gamaredon Group has used legitimate process names to hide malware including svchosst.
Enterprise T1112   Modify Registry Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office<version><product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office<version><product>\Security\AccessVBOM.
Enterprise T1106   Native API Gamaredon Group malware has used CreateProcess to launch additional malicious components.
Enterprise T1027   Obfuscated Files or Information Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.
    .001 Binary Padding Gamaredon Group has obfuscated .NET executables by inserting junk code.
    .004 Compile After Delivery Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.
    .010 Command Obfuscation Gamaredon Group has used obfuscated or encrypted scripts.
Enterprise T1137   Office Application Startup Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group’s previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.
Enterprise T1120   Peripheral Device Discovery Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.
Enterprise T1566 .001 Phishing: Spearphishing Attachment Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.
Enterprise T1057   Process Discovery Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.
Enterprise T1021 .005 Remote Services: VNC Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.
Enterprise T1113   Screen Capture Gamaredon Group’s malware can take screenshots of the compromised computer every minute.
Enterprise T1608 .001 Stage Capabilities: Upload Malware Gamaredon Group has registered domains to stage payloads.
Enterprise T1218 .005 System Binary Proxy Execution: Mshta Gamaredon Group has used mshta.exe to execute malicious HTA files.
    .011 System Binary Proxy Execution: Rundll32 Gamaredon Group malware has used rundll32 to launch additional malicious components.
Enterprise T1082   System Information Discovery A Gamaredon Group file stealer can gather the victim’s computer name and drive serial numbers to send to a C2 server.
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.
Enterprise T1033   System Owner/User Discovery A Gamaredon Group file stealer can gather the victim’s username to send to a C2 server.
Enterprise T1080   Taint Shared Content Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.
Enterprise T1221   Template Injection Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.[10] Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.
Enterprise T1204 .002 User Execution: Malicious File Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.
Enterprise T1102   Web Service Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group’s .NET executable on the compromised system.
Enterprise T1047   Windows Management Instrumentation Gamaredon Group has used WMI to execute scripts used for discovery.

Indicators of Compromise

HASH/Domain
cbeaedfa84b02a2bd41a70fa92a46c36
6349dd85d9549f333117a84946972d06
2239800bfc8fdfddf78229f2eb8a7b95
42bc36d5debc21dff3559870ff300c4e
4c2431e5f868228c1f286fca1033d221
1536ec56d69cc7e9aebb8fbd0d3277c4
49d1f9ce1d0f6dfa94ad9b0548384b3a
83500309a878370722bc40c7b83e83e3
8096dfaa954113242011e0d7aaaebffd
bbb464b327ad259ad5de7ce3e85a4081
cdae1c55ec154cd6cef4954519564c01
2996a70d09fff69f209051ce75a9b4f8
9d9851d672293dfd8354081fd0263c13
96db6240acb1a3fca8add7c4f9472aa5
1c49d04fc0eb8c9de9f2f6d661826d24
88aba3f2d526b0ba3db9bc3dfee7db39
86d28664fc7332eafb788a44ac82a5ed
1da0bf901ae15a9a8aef89243516c818
579f1883cdfd8534167e773341e27990
495b118d11ceae029d186ffdbb157614
ozaharso[.]ru
nubiumbi[.]ru
acaenaso[.]ru
atonpi[.]ru
suizibel[.]ru
dakareypa[.]ru
ahmozpi[.]ru
nebtoizi[.]ru
squeamish[.]ru
nahtizi[.]ru
crisiumbi[.]ru
arabianos[.]ru
gayado[.]ru
quyenzo[.]ru
credomched[.]ru
lestemps[.]ru
urdevont[.]ru
hoanzo[.]ru
absorbeni[.]ru
aethionemaso[.]ru
aychobanpo[.]ru
ayzakpo[.]ru
badrupi[.]ru
barakapi[.]ru
boskatrem[.]ru
brudimar[.]ru
decorous[.]ru
dumerilipi[.]ru
heartbreaking[.]ru
judicious[.]ru
karoanpa[.]ru
lamentable[.]ru
procellarumbi[.]ru
ragibpo[.]ru
raidla[.]ru
ramizla[.]ru
samiseto[.]ru
superficial[.]ru
talehgi[.]ru
undesirable[.]ru
valefgo[.]ru
vasifgo[.]ru
vilaverde[.]ru
vloperang[.]ru
zerodems[.]ru
geminiso[.]ru
vilaverde[.]ru
lamentable[.]ru
raidla[.]ru
boskatrem[.]ru
heartbreaking[.]ru
sabirpo[.]ru
valefgo[.]ru
vasifgo[.]ru
absorbeni[.]ru
vloperang[.]ru
decorous[.]ru
ramizla[.]ru
procellarumbi[.]ru
andamanos[.]ru
triticumos[.]ru