Skip to content
GOING GLOBAL

USB worm unleashed by Russian state hackers spreads worldwide

LitterDrifter's means of self-propagation are simple. So why is it spreading so widely?

Dan Goodin | 82
Credit: Getty Images
Credit: Getty Images
Story text

A group of Russian-state hackers known for almost exclusively targeting Ukrainian entities has branched out in recent months, either accidentally or purposely, by allowing USB-based espionage malware to infect a variety of organizations in other countries.

The group—known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm—has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn't care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.

One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command-and-control servers.

“Gamaredon continues to focus on [a] wide variety [of] Ukrainian targets, but due to the nature of the USB worm, we see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and Germany,” Check Point researchers reported recently. “In addition, we’ve observed evidence of infections in Hong Kong. All this might indicate that much like other USB worms, LitterDrifter [has] spread beyond its intended targets.”

VirusTotal Submissions of LitterDrifter.
VirusTotal Submissions of LitterDrifter. Credit: Check Point Research

The image above, tracking submissions of LitterDrifter to the Alphabet-owned VirusTotal service, indicates that the Gamaredon malware may be infecting targets well outside the borders of Ukraine. VirusTotal submissions usually come from people or organizations that encounter unfamiliar or suspicious-looking software on their networks and want to know if it’s malicious. The data suggests that the number of infections in the US, Vietnam, Chile, Poland, and Germany combined may be roughly half of those hitting organizations inside Ukraine.

The execution flow of LitterDrifter.
The execution flow of LitterDrifter. Credit: Check Point Research

Worms are forms of malware that spread without requiring a user to take any action. As self-propagating software, worms are notorious for explosive growth at exponential scales. Stuxnet, the worm created by the US National Security Agency and its counterpart from Israel, has been a cautionary tale for spy agencies. Its creators intended Stuxnet to infect only a relatively small number of Iranian targets participating in that country’s uranium enrichment program. Instead, Stuxnet spread far and wide, infecting an estimated 100,000 computers worldwide. Non-USB-activated worms such as NotPetya and WannaCry have infected even more.

LitterDrifter provides a similar means for spreading. Check Point researchers explained:

The core essence of the Spreader module lies in recursively accessing subfolders in each drive and creating LNK decoy shortcuts, alongside a hidden copy of the “trash.dll” file.

trash.dll is distributed as a hidden file in a USB drive together with a decoy LNK.
trash.dll is distributed as a hidden file in a USB drive together with a decoy LNK.

Upon execution, the module queries the computer’s logical drives using Windows Management Instrumentation (WMI), and searches for logical disks with the MediaType value set to null, a method often used to identify removable USB drives.

LitterDrifter’s spreader component.
LitterDrifter’s spreader component. Credit: Check Point Research

For each logical drive detected, the spreader invokes the createShortcutsInSubfolders function. Within this function, it iterates the subfolders of a provided folder up to a depth of 2.

For every subfolder, it employs the CreateShortcut function as part of the “Create LNK” action, which is responsible for generating a shortcut with specific attributes. These shortcuts are LNK files that are given random names chosen from an array in the code. This is an example of the lure’s names from an array in one of the samples that we investigated:("Bank_accоunt", "постановa", "Bank_accоunt", "службовa", "cоmpromising_evidence"). The LNK files use wscript.exe **** to execute “trash.dll” with specified arguments " ""trash.dll"" /webm //e:vbScript //b /wm /cal ". In addition to generating the shortcut, the function also creates a hidden copy of “trash.dll” in the subfolder.

The function in the Spreader component used to iterate subfolders.
The function in the Spreader component used to iterate subfolders. Credit: Check Point Research

The techniques described are relatively simple, but as evidenced, they’re plenty effective, so much so that they have allowed it to break out of its previous Ukrainian-only targeting domain to a much bigger realm. People who want to know if they’ve been infected can check the Check Point post’s indicators of compromise section, which lists file hashes, IP addresses, and domains used by the malware.

“Comprised of two primary components—-a spreading module and a C2 module—it’s clear that LitterDrifter was designed to support a large-scale collection operation,” Check Point researchers wrote. “It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region.”

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
82 Comments