LitterDrifter USB Worm

A new worm that spreads via USB sticks is infecting computers in Ukraine and beyond.

The group—known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm—has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn’t care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.

One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command-and-control servers.

Tags: malware, Russia, Ukraine, USB

Posted on November 24, 2023 at 7:04 AM • 7 Comments

Comments

Curious Waanabe techguy • November 24, 2023 11:09 AM

mmmm I wonder if NSA/FBI do the same?

lurker • November 24, 2023 11:37 AM

Script Kiddies still at work, eh?

Clive Robinson • November 24, 2023 12:58 PM

@ Brucr, ALL,

Re : Flying across the gap.

“One of those tools is a computer worm designed to spread from computer to computer through USB drives.”

If you look way back on this blog…

I described how to do this years ago, pre Stuxnet when doing some research on how to do “fire and forget” attacks against “voting machines”.

The argument was that voting machines were never connected to the Internet so were “air gapped” so could not get “malware infections”…

However they were based on a well known commercial OS and,standard PC mother board designs. As such a maintainance tech would have to go around and patch them etc.

I reasoned that the techs would use laptops that did get connected to the Internet, and that they would plug in a USB device to get the patches etc. They would then use that USB drive to update the voting machines.

So all you had to do was “piggy-back” on the USB drive to get code onto the voting machines.

The hard part was how to get your code onto the technicians laptop. Hence the “fire and forget” nature. The code would travel around the Internet getting on machine after machine. If you knew the type of laptop or particular application the techs used then you had a “distinguisher” so your code would be like a “loitering munition”[1] just fliting about waiting to drop a payload and then ride in across the gap.

The part I decided not to talk about back then was how to do the reverse which is exfiltrate data. For two reasons, firstly it was not needed to attack voting machines, secondly I’d worked out a rather nifty way to extend my trick of creating an unblockable and decoupled control channel by co-opting Google’s search engine[2]… A trick that’s still not been seen in the wild as far as I’m aware… But the simple infiltration across an air gap was fairly quickly seen and several times since then.

Which suggests the readership of this blog has worn “several shades of grey” in headware.

[1] I know the term “loitering munition” was not used back then, but it’s just so apt –or should that be APT– these days.

[2] Creating an unblockable and decoupled control channel by co-opting Google’s search engine is actually not difficult and I’ve outlined it before.

Put simply you find any random blog –that Google Searches and puts in it’s cache– that alows anonymous posting. You simply add a unique “distinquisher” such as a “handle/name” that your code can run a Google search for. In the body of the post you hide your “control string”. Obviously you have to dress it up a bit in that the distinquisher has to be a “One Time Use” string and not directly visable in your code and a few other tricks but the idea works…

Clive Robinson • November 24, 2023 1:33 PM

@ ALL,

The ARS Tech article says,

“Its creators intended Stuxnet to infect only a relatively small number of Iranian targets participating in that country’s uranium enrichment program. Instead, Stuxnet spread far and wide”

Is actually not the reality of it.

Stuxnet was intended by the US for North Korea, and as “The Hermit Kingdom” was well locked down, US inteligence decided that as Iran and NK were co-operating they would use Iran as a “steping stone” into NK. They further assumed incorrectly that Iran and NK used the same setup that Pakistan’s “Father of the bomb” AQ Khan had sold them the design of[1].

As it turns out NK had changed the design they used, which is why NK sent the US a message… They called in the UN inspectors and gave them a guided tour, but stopped then seeing the different control systems.

The US had developed a “distinquisher” for when Stuxnet had got to NK based on info they had, but it was too broad in scope. Which is why Stuxnet went hot in various unexpected places in amoungst other places the Far East.

But I said all that back on this blog at the time Stuxnet first broke the news…

It took others four years to catch up and nearly get it right on the obvious,

https://www.theguardian.com/world/2015/may/29/us-stuxnet-cyber-attack-north-korea-failure

https://www.networkworld.com/article/939556/the-nsa-reportedly-tried-but-failed-to-use-a-stuxnet-variant-against-north-korea.html

But it looks like some journalists still have not caught up…

[1] That Khan he had stolen by “industrial espionage” and used for Packistan’s nukes, but also sold via his Swiss based company to Iran North Korea, Lybia and one or two other places.

lurker • November 24, 2023 2:45 PM

“. . . searches for a Media Type of null …”

Well yes, it’s called Universal Serial Bus, but I’ve always had this queer notion that bad things will happen if it’s used for mass storage devices. Sure, there are other well known OSes that have Media Type = 99 just as vulnerable. Will people ever learn that a USB drive is not an airgap?

rivas • November 24, 2023 2:52 PM

The article says “Worms are forms of malware that spread without requiring a user to take any action.” That’s true, and I’m having trouble seeing how this is a worm. Is the article wrong, or did it leave something out? It looks like this thing just puts “LNK” files (Windows shortcuts) onto USB drives, with “tempting” filenames; and those shortcuts are configured to run a script. But that’s, like, exactly the description of a virus. A particularly lame one, given that it doesn’t even embed itself into programs or do anything to hide itself; it would be easily noticed if Windows prompted before running stuff from removable media or were less adamant about hiding file extensions.

emily’s post • November 24, 2023 4:52 PM

I’m almost sure the IT staff told us not to try those floppy disks we would pick up off the parking lot pavement.

“ Creeper was an experimental computer program written by Bob Thomas at BBN in 1971. … Creeper is generally accepted to be the first computer worm.“

https://en.m.wikipedia.org/wiki/Creeper_and_Reaper

LitterDrifter USB Worm

Comments

Leave a comment Cancel reply