Russia-affiliated Nodaria group deploys information stealing malware against Ukrainian targets
Symantec researchers disclosed Wednesday that Russian-linked Nodaria group had deployed a new threat designed to steal information from infected computers. The espionage group, also known as UAC-0056) has been found to use a new piece of information-stealing malware against targets in Ukraine.
“The malware (Infostealer[dot]Graphiron) is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files,” Symantec’s Threat Hunter Team wrote in their latest blog. “The earliest evidence of Graphiron dates from October 2022. It continued to be used until at least mid-January 2023 and it is reasonable to assume that it remains part of the Nodaria toolkit.”
“Like Graphiron, many of Nodaria’s earlier tools were written in Go. Graphiron appears to be the latest piece of malware authored by the same developers, likely in response to a need for additional functionality,” the Symantec researchers revealed. “While GraphSteel and GrimPlant used Go version 1.16, Graphiron uses version 1.18, confirming it is a more recent development. While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine,” they added.
The researchers describe Graphiron as a two-stage threat consisting of a downloader (Downloader[dot]Graphiron) and a payload (Infostealer[dot]Graphiron). “The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check against a blacklist of malware analysis tools by checking for running processes with the following names – BurpSuite, BurpSuite Free, Charles, dumpcap, Fiddler, httpsMon, mitmdump, mitmweb, NetworkMiner, Proxifier, rpcapd, smsniff, tshark, WinDump, Wireshark, x96dbg, ollydbg, and idag.”
“If no blacklisted processes are found, it will connect to a C&C server and download and decrypt the payload before adding it to autorun,” according to the researchers. “The downloader is configured to run just once. If it fails to download and install the payload it won’t make further attempts nor send a heartbeat. Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the ‘[dot]lock’ and ‘[dot]trash extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate[dot]exe and MicrosoftOfficeDashboard[dot]exe,” they added.
Graphiron has some similarities with older Nodaria tools such as GraphSteel and GrimPlant. GraphSteel is designed to exfiltrate files along with system information and credentials were stolen from the password vault using PowerShell. Graphiron has similar functionality but can exfiltrate much more, such as screenshots and SSH keys.
In addition to this, as with earlier malware, Graphiron communicates with the C&C server using port 443 and communications are encrypted using the AES cipher.
Nodaria has been active since at least March 2021 and appears to be mainly involved in targeting organizations in Ukraine. There is also limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan. Third-party reporting has also linked the group to attacks on Georgia.
The group sprang to public attention when it was linked to the WhisperGate wiper attacks that hit multiple Ukrainian government computers and websites in January 2022, the researchers said. “When WhisperGate was initially loaded onto a system, the malware would overwrite the portion of the hard drive responsible for launching the operating system when the machine is booted up with a ransom note demanding $10,000 in Bitcoin. However, this was just a decoy as the WhisperGate malware destroys data on an infected machine and it cannot be recovered, even if a ransom is paid,” they added.
Furthermore, the group’s usual infection vector is spear-phishing emails, which are then used to deliver a range of payloads to targets. Custom tools used by the group to date include Elephant Dropper, Elephant Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant (aka Elephant Implant) which collects system information and maintains persistence; and GraphSteel (aka Elephant Client) information stealer.
Last October, Symantec researchers reported that a Chinese espionage group Budworm launched recent attacks across continents, including the first confirmed attacks seen against the U.S. in many years. In recent instances, Budworm has been identified as leveraging the Log4j vulnerabilities to compromise the Apache Tomcat service on servers to install web shells. Additionally, the attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.
Cybercrime intelligence firm Intel 471 published data earlier this month that showed that 2022 presented both new and evolving trends. It recognized significant activity in five main areas – Russia’s war in Ukraine and its underground implications, the continued popularity and evolution of ransomware, the rise and endurance of initial access brokers (IABs), developments in the malware threat landscape, and consistency in the search for and use of vulnerabilities.
“Russian hacktivists who engaged in cybercrime to support the Russian war effort will continue to diversify their capabilities to include targeted attacks leveraging malware,” the report said. “In 2023, pro-Russian hacktivist groups likely will seek to use ransomware they obtained or developed in recent months. QBot malware instances are highly unlikely to decline in 2023 and will remain a key indicator and/or warning for ransomware-related activity.”
It further added that malware log services and post-exploitation frameworks likely will enable less sophisticated threat actors entry into cybercrime and additional illicit activity to be carried out.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
