LitterDrifter: USB Worm Threat and Safeguarding
Explore the LitterDrifter USB worm threat and effective safeguards. Learn to protect against this cyber threat and enhance data security.
LitterDrifter: A USB Worm for Cyberespionage and Its Threats to Data Security
LitterDrifter is a computer worm that spreads through USB drives and is utilized by a Russian cyber espionage group known as Gamaredon. This group, active since at least 2013, primarily targets Ukraine but has also infected systems in other countries. LitterDrifter enables Gamaredon to gather sensitive information, execute remote commands, and download other malicious software. In this article, we will explore how this worm functions, methods to safeguard against it, and the motivations behind its creators.
Gamaredon is a cyber espionage group suspected to have ties to Russia’s Federal Security Service (FSB). It conducts intelligence and sabotage operations against strategic targets in Ukraine, including government institutions, law enforcement, media, political organizations, and dissidents. Gamaredon plays a part in the hybrid warfare between Russia and Ukraine that emerged in 2014 following the annexation of Crimea and the armed conflict in Donbass.
Gamaredon employs a diverse range of cyberattack techniques, including phishing, disinformation, sabotage, and espionage. The group possesses several malicious tools such as Pterodo, Outlook Forms, VBA Macros, LNK Spreader, and, of course, LitterDrifter. Gamaredon is considered a group that learns from its experiences and adapts its tactics based on responses from its adversaries. It also serves as a training ground for Russia, observing the potential of cyber warfare in contemporary conflicts.
How LitterDrifter Works
LitterDrifter is a computer worm initially discovered in October 2021 by cybersecurity company Check Point Research. It is written in VBS and consists of two main modules: a propagation module and a communication module.
The propagation module is responsible for copying the worm to USB drives connected to the infected computer. It creates an autorun.inf file that allows the worm to launch automatically upon inserting an infected drive. Additionally, it generates an LNK file that serves as bait, featuring a random name to entice the user to click on it. The worm’s name is derived from the initial file name, “trash.dll,” which means “garbage” in English.
The communication module establishes contact with the worm’s authors’ command and control (C2) server. It uses domains as markers for the actual IP addresses of the C2 servers. It can also connect to a C2 server extracted from a Telegram channel, a technique employed by Gamaredon since early 2021. The communication module allows the worm to collect information about the infected system, such as the computer name, username, IP address, operating system, process list, files on the hard drive, and USB drives. It can also execute remote commands, download and install other malicious software, and delete files or partitions.
How LitterDrifter Propagates
LitterDrifter is primarily intended to target Ukraine but has also been detected in other countries, including Latvia, Lithuania, Poland, Romania, Turkey, Germany, France, the United Kingdom, the United States, Canada, India, Japan, and Australia. The worm appears to spread opportunistically, taking advantage of USB exchanges and movements among individuals and organizations. Some of the victims may be secondary targets infected inadvertently, while others could be potential targets awaiting activation.
LitterDrifter is a rapidly spreading worm that affects a large number of systems. According to data from Check Point Research, the worm has been submitted to VirusTotal more than 1,000 times since October 2021, originating from 14 different countries. The majority of submissions come from Ukraine (58%), followed by the United States (12%) and Vietnam (7%). Other countries each represent less than 5% of submissions.
The worm also uses a large number of domains as markers for C2 servers. Check Point Research has identified over 200 different domains used by the worm, with most being free or expired domains. Some domains have been used by Gamaredon for a long time, while others are created or modified recently. The worm also uses Telegram channels to extract C2 server IP addresses, making their blocking or tracking more challenging.
The worm is capable of downloading and installing other malicious software on infected systems. Among the malicious software detected by Check Point Research are remote control tools, spyware, screen capture software, password stealers, file encryption software, and data destruction software. Some of these malicious software are specific to Gamaredon, while others are generic or open-source tools.
Uncontrolled Expansion and Real Consequences of LitterDrifter
LitterDrifter is a worm with uncontrolled expansion, meaning it spreads opportunistically by taking advantage of the movement and exchange of USB drives among individuals and organizations. It doesn’t have a specific target but can infect systems in various countries, without regard to the industry sector or security level. Consequently, it can affect critical systems, including infrastructure, public services, or government institutions.
The real consequences of LitterDrifter are manifold and severe. It can compromise the confidentiality, integrity, and availability of data. Moreover, it can serve as a gateway for more sophisticated attacks, such as deploying ransomware, spyware, or destructive software. Additionally, it can enable the worm’s authors to access sensitive information, including confidential documents, passwords, personal data, or industrial secrets.
LitterDrifter can have serious repercussions for victims, including damage to reputation, financial costs, data loss, disruption of operations, or legal liability. It can also impact national security, political stability, or the sovereignty of targeted countries. It is part of the context of a hybrid war waged by Russia against Ukraine, aiming to weaken and destabilize its neighbor through military, political, economic, media, and cyber means.
LitterDrifter’s Attack Methods
Understanding the attack methods employed by LitterDrifter is crucial in safeguarding your systems. This USB worm leverages various techniques to infiltrate systems and establish contact with its command and control (C2) servers. Below, we delve into the primary attack methods used by LitterDrifter:
|Exploiting known vulnerabilities in software and network protocols, such as SMB, RDP, FTP, HTTP, SSH, etc. It employs tools like Metasploit, Nmap, and Mimikatz to scan systems, execute malicious code, steal credentials, and propagate.
|Utilizing the EternalBlue vulnerability to infect Windows systems via the SMB protocol and install a backdoor.
|Sending fraudulent emails containing malicious attachments or links that entice users to open or click. Attachments or links trigger the download and execution of LitterDrifter.
|Sending an email pretending to be an invoice from a supplier but containing a malicious Word file that exploits the CVE-2017-0199 vulnerability to execute LitterDrifter.
|Impersonating legitimate services or applications through similar names, icons, or interfaces. This deceives users or administrators into granting privileges, access, or sensitive information.
|Using the name and icon of TeamViewer, a remote control software, to blend into the process list and establish a connection with C2 servers.
|Copying itself to USB drives connected to infected computers, automatically running upon insertion. It also creates random-named LNK files as bait, encouraging users to click.
|When a user inserts an infected USB drive into their computer, the worm copies itself to the hard drive and executes. It also creates an LNK file named “Holiday Photos.lnk” pointing to the worm.
|Domain Marker Usage
|Using domains as markers for actual C2 server IP addresses. It generates a random subdomain of a hardcoded domain (e.g., 4fj3k2h5.example.com from example.com) and resolves its IP address through a DNS query. It then uses this IP address for communication with the C2 server.
|Generating the subdomain 4fj3k2h5.example.com from the hardcoded domain example.com, resolving its IP address through a DNS query (e.g., 192.168.1.100), and using it to send data to the C2 server.
LitterDrifter’s Malicious Actions
LitterDrifter is a worm that can cause significant damage to infected systems. It not only collects sensitive information but can also execute remote commands, download and install other malicious software, and delete files or partitions. Here’s a table summarizing LitterDrifter’s main malicious actions:
|The worm gathers information about the infected system, including computer name, username, IP address, OS, process list, files on the hard drive, and USB drives.
|The worm sends the collected information to the C2 server via an HTTP POST request.
|Remote Command Execution
|The worm can receive remote commands from the C2 server, such as launching a process, creating a file, modifying the registry, opening a URL, etc.
|The worm can execute a command like
cmd.exe /c del /f /s /q c:\*.* to erase all files on the C drive.
|Download and Malware Installation
|The worm can download and install other malicious software on the infected system, such as remote control tools, spyware, screen capture software, password stealers, file encryption software, and data destruction software.
|The worm can download and install the Pterodo malware, allowing Gamaredon to take control of the infected system.
|File or Partition Deletion
|The worm can delete files or partitions on the infected system, potentially leading to data loss, system corruption, or boot failure.
|The worm can erase the EFI partition, which contains system boot information.
Protecting Against LitterDrifter
Safeguarding your systems against LitterDrifter and similar threats is essential in today’s interconnected digital landscape. Here are some steps you can take to enhance your cybersecurity posture:
- Keep Software Updated: Regularly update your operating system, software, and antivirus programs to patch known vulnerabilities that malware like LitterDrifter exploits.
- Exercise Caution with Email Attachments and Links: Be cautious when opening email attachments or clicking on links, especially if the sender is unknown or the email seems suspicious. Verify the legitimacy of the sender before taking any action.
- Use Reliable Security Software: Install reputable security software that can detect and block malware. Ensure that it is regularly updated to recognize new threats effectively.
- Employ Network Segmentation: Implement network segmentation to isolate critical systems and data from potentially compromised parts of your network.
- Educate Employees: Train your employees to recognize phishing attempts and the importance of safe browsing and email practices.
- USB Drive Security: Disable autorun features on computers and use endpoint security solutions to scan USB drives for malware upon insertion.
- Network Monitoring: Implement network monitoring tools to detect unusual activities and unauthorized access promptly.
- Encryption and Authentication: Use encryption for sensitive data and multi-factor authentication to secure critical accounts.
Enhancing Data Security with HSM Technologies
In addition to the steps mentioned above, organizations can enhance data security by leveraging NFC HSM (Near Field Communication and Hardware Security Module). These specialized devices provide secure storage and processing of cryptographic keys, protecting sensitive data from unauthorized access.
HSMs offer several advantages, including tamper resistance, hardware-based encryption, and secure key management. By integrating HSMs into your cybersecurity strategy, you can further safeguard your organization against threats like LitterDrifter.
Leveraging NFC HSM Technologies Made in Andorra by Freemindtronic
To take your data security to the next level, consider utilizing NFC HSM technologies manufactured in Andorra by Freemindtronic. These state-of-the-art devices are designed to meet the highest security standards, ensuring the confidentiality and integrity of your cryptographic keys.
Freemindtronic innovates, manufactures white-label NFC HSM technologies, including PassCypher NFC HSM and DataShielder Defense NFC HSM. These solutions, like EviPass, EviOTP, EviCypher, and EviKey, effectively combat LitterDrifter. They enhance data security, protecting against unauthorized access and decryption, even in the era of quantum computing.
With HSMs from Freemindtronic, you benefit from:
- Tamper Resistance: HSMs are built to withstand physical tampering attempts, providing an added layer of protection against unauthorized access.
- Hardware-Based Encryption: Enjoy the benefits of hardware-based encryption, which is more secure than software-based solutions and less susceptible to vulnerabilities.
- Secure Key Management: HSMs enable secure generation, storage, and management of cryptographic keys, reducing the risk of key compromise.
By integrating HSMs into your organization’s security infrastructure, you can establish a robust defense against threats like LitterDrifter and ensure the confidentiality and integrity of your sensitive data.
Staying One Step Ahead of LitterDrifter
LitterDrifter, the USB worm associated with the Gamaredon cyber espionage group, poses a significant threat to cybersecurity. Its ability to infiltrate systems, collect sensitive data, and execute malicious actions underscores the importance of proactive protection.
By understanding LitterDrifter’s origins, functionality, and impact, as well as implementing robust cybersecurity measures, you can shield your organization from this perilous threat. Additionally, NFC HSM technologies offer an extra layer of security to safeguard your data and secrets.
Stay vigilant, stay informed, and stay ahead of LitterDrifter and the ever-evolving landscape of cyber threats.