Russian state hackers unleash USB worm with global reach
LittleDrifter has infected organisations worldwide
A notorious group of Russian state hackers, known by various names such as Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm, has expanded its cyber espionage activities beyond Ukraine.
According to ars Technica whilst initially focused on Ukrainian entities, the group has allowed a USB-based malware, named LitterDrifter, to infect organisations worldwide.
Since 2014, Gamaredon has been linked to Russia's Federal Security Service by the Security Service of Ukraine, displaying a lack of concern for flying under the radar. Its campaigns, primarily targeting Ukrainian organisations, aim to gather extensive information using malware tools. One such tool is LitterDrifter, a computer worm written in Visual Basic Scripting language.
LitterDrifter's primary functions include spreading from USB drive to USB drive and permanently infecting connected devices with malware that communicates with Gamaredon-controlled command-and-control servers. Researchers from Check Point Research have observed the worm's unintentional or deliberate spread to various countries, including the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong.
Worms, like LitterDrifter, have a reputation for exponential growth due to their self-propagating nature. Similar to historical incidents such as Stuxnet, created by the US National Security Agency and Israel and non-USB-activated (and hostile state related) worms like NotPetya and WannaCry, LitterDrifter exhibits the potential for extensive reach.
LitterDrifter's spreader module utilises simple yet effective techniques, creating LNK decoy shortcuts and hidden copies of the "trash.dll" file to infect removable USB drives. The worm queries a computer's logical drives using Windows Management Instrumentation, identifying removable USB drives through the MediaType value set to null. It then recursively accesses subfolders and creates shortcuts, facilitating the spread of the malware.