November 20, 2023 at 05:34PM
LittleDrifter is a recently discovered worm that spreads through USB drives and has infected systems in multiple countries. It is believed to be part of a campaign by the Gamaredon state-sponsored espionage group. The malware establishes communication with the group’s command and control server and spreads through USB drives using deceptive shortcuts. The IP addresses used by the C2 servers change frequently to evade detection. The malware is likely the first stage of an attack and is characterized by its simplicity and effectiveness.
Meeting Takeaways:
– A new worm called LittleDrifter has been spreading through USB drives and infecting systems in multiple countries. It is believed to be part of a campaign by the Gamaredon state-sponsored espionage group.
– The malware is written in VBS and propagates through USB drives, similar to Gamaredon’s USB PowerShell worm.
– Gamaredon has been targeting organizations in Ukraine for at least a decade, including government, defense, and critical infrastructure sectors.
– LittleDrifter’s purpose is to establish communications with Gamaredon’s command and control server and spread over USB drives.
– The malware uses two separate modules and is heavily obfuscated.
– LittleDrifter nests in the user’s “Favorites” directory and establishes persistence by adding scheduled tasks and registry keys.
– The module responsible for propagation creates deceptive LNK shortcuts and hidden copies of the “trash.dll” file on newly inserted USB drives.
– The malware uses the Windows Management Instrumentation framework to identify target drives and create shortcuts with random names to execute malicious scripts.
– Gamaredon uses domains as placeholders for the IP addresses of their command and control servers.
– LittleDrifter checks for a configuration file in the temporary folder, and if it doesn’t exist, pings one of Gamaredon’s domains using a WMI query to get the IP address.
– The C2 IP addresses used by LittleDrifter have a typical lifespan of 28 hours but may change multiple times a day.
– The C2 may send additional payloads for LittleDrifter to execute on compromised systems, although in most cases, no additional payloads were downloaded.
– LittleDrifter can also retrieve the C2 IP address from a Telegram channel as a backup option.
– LittleDrifter is likely the first stage of an attack, establishing persistence and waiting for the C2 to deliver new payloads.
– The malware is characterized as being simple but effective.
– Check Point’s report provides hashes for almost two dozen LittleDrifter samples and domains associated with Gamaredon’s infrastructure.