November 18, 2023 at 02:24AM
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) are using a USB worm called LitterDrifter in attacks on Ukrainian entities. The worm spreads malware via USB drives and communicates with the threat actor’s command-and-control servers. The cybersecurity firm Check Point has observed signs of possible infection outside of Ukraine. Additionally, Russian state-sponsored hackers are targeting embassies across Europe using a recently disclosed WinRAR vulnerability. The hackers send phishing emails with a link to a malicious ZIP file that exploits the vulnerability.
Based on the meeting notes, the key takeaways are:
1. Russian cyber espionage actors affiliated with the Federal Security Service (FSB) are using a USB propagating worm called LitterDrifter to target Ukrainian entities.
2. Gamaredon, the group behind LitterDrifter, is engaging in large-scale campaigns followed by espionage-focused data collection efforts.
3. LitterDrifter spreads malware through connected USB drives and communicates with the threat actor’s command-and-control servers.
4. The malware is suspected to be an evolution of a previously disclosed USB worm.
5. Gamaredon’s approach to command-and-control is unique, utilizing domains as placeholders for circulating IP addresses used as C2 servers.
6. LitterDrifter is capable of connecting to a C&C server extracted from a Telegram channel.
7. Possible infections outside of Ukraine have been detected based on VirusTotal submissions from the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
8. APT29, a Russian state-sponsored hacking group, has been targeting embassies across Europe using recently disclosed WinRAR vulnerability (CVE-2023-38831).
9. The APT29 attack chain involves phishing emails, a specially crafted ZIP file, and the exploitation of the WinRAR vulnerability to retrieve a PowerShell script.
10. The Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a phishing campaign using malicious RAR archives disguised as a PDF document from the Security Service of Ukraine (SBU) to deliver the Remcos RAT.
These takeaways highlight significant cybersecurity risks and the need for enhanced measures to protect against USB worms and phishing attacks.