A worm spread by sharing USB drives is breaking free, outside of its primary target. An APT group tied to the Russian FSB is said to be responsible—apparently it’s part of Putin’s cyberwar against Ukraine.
LitterDrifter is at least easily detected and blocked. In today’s SB Blogwatch, we give thanks for small mercies.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Area Zero.
What’s the craic? Ionut Arghire reports—“USB Worm Spreads Beyond Ukraine”:
“Russia’s Federal Security Service”
Written in VBScript, the malware contains two main functions, to automatically spread to other USB drives and to communicate with a flexible set of command-and-control (C&C) servers. However, it can also execute payloads received from the C&C.
…
Also tracked as Armageddon, Aqua Blizzard, Primitive Bear, Shuckworm, and Trident Ursa, … the Russia-linked advanced persistent threat (APT) group Gamaredon, … active for at least a decade, … mainly focuses on Ukrainian entities, such as government employees, journalists, and military personnel. … Members of the APT were previously identified as employees of Russia’s Federal Security Service (FSB).
Where’s it reached? Bill Toulas thinks Russia’s lost control—“Gamaredon’s LitterDrifter USB malware spreads”:
“trash.dll”
Malware researchers saw indications of compromise in the United States, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which suggests that the threat group lost control of LitterDrifter, which reached unintended targets. … LitterDrifter is likely part of the first stage of an attack, trying to establish persistence on the compromised system and waiting for the C2 to deliver new payloads that would further the attack.
…
To achieve its goal, the malware uses two separate modules, which are executed by the heavily obfuscated VBS component trash.dll. [They] establish persistence by adding scheduled tasks and registry keys. The module responsible for propagation to other systems monitors for newly inserted USB drives and creates deceptive LNK shortcuts along with a hidden copy of the … DLL.
Horse’s mouth? Check Point’s faceless PR scribblers—“Into the Trash”:
“Deliberately obscured”
Gamaredon’s large-scale campaigns are usually followed by data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals. These efforts run parallel to the deployment of various mechanisms and tools designed to maintain as much access to these targets as possible.
…
The script decodes the provided encoded strings and writes them to the “Favorites” directory as “jersey.webm”, the payload component, and “jaw.wm”, the spreader component. … After creating these files, the malware proceeds to set scheduled tasks [and] adds an entry to the user’s startup items in the Registry Run Keys to ensure they run upon startup.
…
Both the tasks and the startup entries are disguised using technical-sounding names such as “RunFullMemoryDiagnostic” and “ProcessMemoryDiagnosticEvents” to … avoid arousing suspicion. The entire flow is deliberately obscured by ambiguous function and variable names as well as the use of inline scripting, which make it difficult for casual observers to discern its intent and activities.
Wait. Pause. A USB worm? u/NothingGlad1024 simply laughs:
LOL—USB worm. What’s it going to do, crawl its way into my USB port? I barely even use USB sticks anymore—seems like a mostly outdated propagation method.
Well, quite. It’s 2023. Why is USB malware still a Thing? CatBus explains:
It’s tricking the user into running the malware by having a shortcut disguised as a document with an intriguing name (“twitter_password.rtf.lnk”). And speaking of things that are the first thing to turn off on a new OS install, LNK extensions are still hidden even when you disable hiding file extensions.
But why are these people opening unknown files? They’re not, thinks balexis:
The trick is that the spreader component infects newly inserted USB drives and creates shortcuts (.lnk) files with the same filename and icon of the legitimate files. End users don’t end up opening “unknown files,” they think they are opening files that they expected to be on the drive.
Windows! Microsoft! But u/SenKats brings this apologia:
What are the people behind Windows actually supposed to do? Remove USB support?
This whole thing runs because people are opening decoy shortcuts. … How is it the OS’s fault at all? Is it supposed not to provide shortcut functionality?
Stiiicks iiin Spaaace! original_mds has heard this song before:
An astronaut once infected a laptop on the ISS via an infected USB stick they brought up with them (personal playlist, I believe). This is also why military personal have been removed from duty or even prosecuted for connecting USB sticks to classified computing systems.
Meanwhile, ThurstonMoore waxes—perhaps understandably—slightly xenophobic:
G*d damn ****head Russians.
Teza’s Pokemon Scarlet and Violet acapella cover
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Sara Kurfeß (via Unsplash; leveled and cropped)
Recent Articles By Author