LitterDrifter Linked to Russian Cybercrime Group

Russian cyber espionage actors linked to the Federal Security Service (FSB) have been observed employing a USB-propagating worm named LitterDrifter in attacks directed at Ukrainian entities. Check Point, which outlined the recent tactics of the group known as Gamaredon (also referred to as Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder), characterized them as conducting extensive campaigns followed by targeted data collection efforts, likely driven by espionage objectives.

The LitterDrifter worm encompasses two primary functionalities: automatic spreading of the malware through connected USB drives and communication with the command-and-control (C&C) servers of the threat actor. It is suspected to be an advancement of a PowerShell-based USB worm disclosed by Symantec in June 2023.

LitterDrifter in Detail

Developed in VBS, the spreader module is responsible for disseminating the worm as a concealed file in a USB drive alongside a decoy LNK file with random names. The name "LitterDrifter" is derived from the initial orchestration component named "trash.dll."

Gamaredon's distinctive approach to the C&C involves using domains as placeholders for the actual IP addresses of the circulating C2 servers, as explained by Check Point. Additionally, LitterDrifter can connect to a C&C server obtained from a Telegram channel, a tactic consistently employed by the threat actor since at least the beginning of the year.

The cybersecurity company also noted indications of potential infections beyond Ukraine, based on VirusTotal submissions from the United States, Vietnam, Chile, Poland, Germany, and Hong Kong.

What is Worm Malware?

A worm is a type of malicious software (malware) that is designed to replicate itself and spread to other computers or devices autonomously, often without the need for human intervention. Unlike viruses, worms don't need to attach themselves to existing programs or files to spread; they can independently travel across networks and systems.

Key characteristics of worm malware include:

• Self-Propagation: Worms are programmed to independently replicate and spread across connected devices or networks. They can exploit vulnerabilities in operating systems or applications to infect other computers.
• Autonomy: Worms operate without direct human involvement. Once a system is infected, the worm can actively seek out and infect other vulnerable systems without requiring user action.
• Network-based Spread: Worms often spread through network connections, such as the internet, local area networks (LANs), or removable media like USB drives. They can exploit weaknesses in network protocols to move from one system to another.
• Payload: In addition to replicating, worms may carry a payload, which is the actual malicious activity they are designed to perform. This could include damaging or deleting files, stealing information, or facilitating other forms of cyber attacks.
• Persistence: Some worms are designed to remain active on infected systems over an extended period, allowing them to continue their malicious activities or receive updated instructions from a remote command-and-control server.