Cyber Espionage Campaigns: Gamaredon’s LitterDrifter Worm and APT29’s WinRAR Exploits

clock-img 27 Nov, 2023 
cat-img General

In the ever-evolving landscape of cyber warfare, recent reports shed light on the activities of Russian cyber espionage actors affiliated with the Federal Security Service (FSB), particularly a group known as Gamaredon. Gamaredon has been observed utilizing a USB-propagating worm called LitterDrifter in targeted attacks against Ukrainian entities. Concurrently, another Russian state-sponsored hacking group, APT29, has been employing sophisticated tactics, leveraging a recently disclosed WinRAR vulnerability (CVE-2023-38831) to target European embassies.

Gamaredon’s LitterDrifter Worm: Tactics and Evolution

Check Point, a cybersecurity firm, recently detailed the tactics employed by Gamaredon, also known as Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder. The group engages in large-scale campaigns, followed by data collection efforts aimed at specific targets, indicating a clear motivation for espionage.

The LitterDrifter worm, identified as an evolution of a PowerShell-based USB worm disclosed by Symantec in June 2023, is a key component of Gamaredon’s toolkit. This USB-propagating worm is notable for its two main features: automatic spreading through connected USB drives and communication with the threat actor’s command-and-control (C&C) servers.

The spreader module, written in VBS, plays a crucial role in distributing the LitterDrifter worm. It conceals the malware as a hidden file in a USB drive, accompanied by a decoy LNK file assigned random names. The unique nomenclature, “LitterDrifter,” is derived from the initial orchestration component named “trash.dll.”

Gamaredon adopts a distinctive approach to its C&C infrastructure, using domains as placeholders for circulating IP addresses actually utilized as C2 servers. Additionally, LitterDrifter is capable of connecting to a C&C server extracted from a Telegram channel, showcasing the threat actor’s adaptability and diverse tactics.

Check Point’s findings also indicate signs of potential infections outside of Ukraine, as evidenced by VirusTotal submissions from the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong. This highlights the global impact of Gamaredon’s operations and the need for international cooperation in addressing cyber threats.

The cybersecurity firm emphasized Gamaredon’s active presence in 2023, highlighting the group’s continuous evolution of attack methods. In July 2023, the adversary’s rapid data exfiltration capabilities were revealed, with sensitive information transmitted within an hour of the initial compromise. Check Point concludes that LitterDrifter was designed to support a large-scale collection operation, employing simple yet effective techniques to target a broad range of entities in the region.

APT29’s WinRAR Exploits: Targeting European Embassies

Simultaneously, Ukraine’s National Cybersecurity Coordination Center (NCSCC) disclosed information about Russian state-sponsored hacker attacks targeting European embassies. These intrusions have been attributed to APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes.

APT29’s modus operandi involves exploiting the recently disclosed WinRAR vulnerability (CVE-2023-38831) through benign-looking lures. In this instance, the threat actor used offers for BMWs for sale, a theme consistent with their previous tactics. The attack chain begins with phishing emails containing a link to a specially crafted ZIP file. When launched, this file exploits the WinRAR vulnerability to retrieve a PowerShell script from a remote server hosted on Ngrok.

The NCSCC expressed concern over the growing popularity and sophistication of Russian intelligence services exploiting the CVE-2023-38831 vulnerability. This underscores the need for timely patching and cybersecurity awareness to mitigate the risks associated with known vulnerabilities.

In a related discovery, the Computer Emergency Response Team of Ukraine (CERT-UA) identified a phishing campaign involving malicious RAR archives. These archives purportedly contain a PDF document from the Security Service of Ukraine (SBU). However, upon execution, the file leads to the deployment of the Remcos RAT. This campaign, tracked under the name UAC-0050, is linked to a previous series of cyber attacks targeting state authorities in Ukraine in February 2023.

Conclusion: A Dynamic Cyber Threat Landscape 

The recent revelations regarding Gamaredon’s LitterDrifter worm and APT29’s exploitation of the WinRAR vulnerability highlight the dynamic and sophisticated nature of cyber threats. As threat actors continuously evolve their tactics, organizations and nations must remain vigilant, prioritize cybersecurity measures, and foster international collaboration to address these challenges collectively. The incidents underscore the critical importance of proactive cybersecurity strategies, including regular patching, employee training, and threat intelligence sharing, to defend against the ever-growing cyber threat landscape.

Certified Ethical Hacking


Training Calender