On November 17, 2023, researchers from Checkpoint unveiled the existence of a self-propagating worm malware named LitterDrifter by Gamaredon group. This malware, attributed to the Russian-based threat group, also known as ACTINIUM, and Shuckworm, primarily targets Ukrainian entities but has also infected other countries.
The report provides an in-depth analysis of the malware’s functionality, behavior, spreading mechanisms, and command and control (C2) infrastructure. It also highlights the unique features of LitterDrifter and the challenges in detecting and mitigating such malware.
The Gamaredon Group’s Malware Campaigns:
Gamaredon’s large-scale campaigns typically involve data collection efforts aimed at specific targets, likely motivated by espionage goals. These efforts are accompanied by the deployment of various mechanisms and tools designed to maintain as much access to these targets as possible. One such tool is a USB propagating worm known as LitterDrifter.
The LitterDrifter Worm:
LitterDrifter spreads through removable USB drives and establishes persistence through various means, including scheduled tasks and startup entries in the Registry Run Keys. It also uses a flexible C2 infrastructure and a self-check mechanism to ensure its continued presence in target systems. Additionally, the worm uses a custom user-agent to communicate with its command and control servers.
The malware’s use of randomized domain names for C2 servers can make it more difficult to detect and mitigate the infection, as traditional signature-based detection methods rely on identifying known patterns or signatures of known malware.
However, when the malware uses randomized domain names, it becomes more challenging to identify the malware based on a fixed signature. This is because the domain names are not fixed and can change frequently, making it difficult to identify the malware based on a static signature.
Moreover, the group’s use of a Telegram channel for C2 communication is significant because it allows them to maintain a persistent command and control (C2) channel across a wide array of targets, even if the targets are in different countries.
This is an evolution in comparison, of a previously reported activity tying the Gamaredon group to a propagating USB PowerShell worm. Additionally, the use of Telegram for C2 communication is a flexible and volatile approach, as it allows the group to quickly change the C2 IP address and maintain persistence in the victim’s environment.
Mitigation:
Checkpoint researchers also hinted that the use of randomized domain names can also make it more challenging to mitigate the infection. In order to mitigate the infection, security systems need to identify the C2 servers and block them. However, if the C2 servers are using randomized domain names, it becomes more challenging to identify and block them.
To overcome these challenges, security systems need to use more advanced detection and mitigation techniques, such as behavioral-based detection, machine learning-based detection, and anomaly-based detection. These techniques can help identify and mitigate the infection even when the malware uses randomized domain names for C2 servers.
FixitGearWare Security, is urging you our readers, to Stay safe and vigilant! 🛡️ to the Gamaredon group malware signatures, by reviewing checkpoints recommendations, and other reliable sources.
Put your comments below in the comment section on your thoughts about this.