Cyber espionage agents from the Federal Security Service (FSB) in Russia have been observed using the USB-disseminating worm LitterDrifter in attacks against organizations in Ukraine.
Gamaredon, also known as Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder, was described in Check Point as an organization engaged in large-scale campaigns that were preceded by “data collection efforts directed at specific targets, likely motivated by espionage objectives.”
The two main features of the LitterDrifter worm are its ability to communicate with the threat actor’s command-and-control (C&C) servers and to propagate malware on its own by connecting USB sticks. It is also thought to be a development of a USB worm powered by PowerShell that Symantec first revealed in June 2023.
The spreader module, which is written in VBS, is in charge of spreading the worm by hiding a file on a USB stick and including a fictitious LNK with arbitrary names. The reason for the name “LitterDrifter” is that the first orchestration file is called “trash.dll.”
Check Point explained that Gamaredon uses a unique method for its Command and Control (C&C) activities, using domains instead of the real IP addresses that are being used as C2 servers.
Furthermore, LitterDrifter demonstrates the capacity to connect to a C&C server that is sourced from a Telegram channel—a tactic that it has continuously utilized since the year’s beginning.
The cybersecurity company claimed that, based on VirusTotal submissions from the United States, Vietnam, Chile, Poland, Germany, and Hong Kong, it also found indications of potential infection outside of Ukraine.
Gamaredon has been present and active all year long, steadily improving its offensive tactics. The adversary’s quick data exfiltration skills were made public in July 2023 when the threat actor transferred private data within an hour after the initial compromise.
The business concluded that LitterDrifter was specifically designed to facilitate a large-scale data-gathering activity. It makes use of simple yet effective methods to guarantee wide-ranging effects on targets in the area.