November 20, 2023 at 07:45AM
A USB worm called LitterDrifter, attributed to the Russia-linked Gamaredon group, has spread beyond Ukraine, its primary target, according to cybersecurity firm Check Point. The worm, also known as Armageddon and Aqua Blizzard, is designed to automatically spread to other USB drives and communicate with command-and-control servers. While Gamaredon primarily focuses on Ukrainian entities, infections have been observed in other countries such as the US, Chile, Germany, Hong Kong, Poland, and Vietnam. Check Point emphasizes that although LitterDrifter may seem unsophisticated, it has been effective in the group’s sustained activities in Ukraine.
Key takeaways from the meeting notes:
1. A USB worm called LitterDrifter, attributed to the Gamaredon advanced persistent threat (APT) group, has been identified. This APT group, also known as Armageddon, Aqua Blizzard, Primitive Bear, Shuckworm, and Trident Ursa, has been active for at least a decade and primarily targets Ukrainian entities.
2. Gamaredon, previously identified as employees of Russia’s Federal Security Service (FSB), has also been involved in hack-for-hire activities.
3. LitterDrifter is a self-propagating USB worm written in VBScript. It spreads to other USB drives and communicates with a set of command-and-control (C&C) servers. It can also execute payloads received from the C&C servers.
4. Gamaredon’s infrastructure is flexible and volatile, using domains as placeholders for IP addresses used as C&C servers. IP addresses are operational for approximately 28 hours, with the active C&C changing multiple times a day.
5. Although Gamaredon primarily focuses on Ukraine, LitterDrifter infections have been observed in other countries like the US, Chile, Germany, Hong Kong, Poland, and Vietnam, indicating that the worm has spread beyond its intended targets.
6. Check Point concludes that while LitterDrifter may seem unsophisticated, its simplicity aligns with Gamaredon’s overall approach, which has proven to be effective in sustaining their activities in Ukraine.
Note: These takeaways are based on the provided meeting notes and may not include all details or contextual information.