HQ/EMEAFind out how we can help your business
A new Russian hacking group has joined the onslaught against Ukraine in this current geopolitical conflict by deploying the Graphiron infostealer malware. Based on the report, the hacker group dubbed Nodaria launched the infostealer to steal data from Ukrainian organisations.
This Golang-based malware could collect troves of data, such as account credentials and system and app details. Additionally, this strain could capture screenshots and exfiltrate files from infected devices.
These Russian-affiliated hacking group has been using the Graphiron infostealer in their attacks since October last year.
According to an investigation, the Graphiron infostealer malware contains a downloaded and backup information-stealing payload.
The downloader will review the targeted device if it consists of security software and malware analysis tools when launched by its operators. If it does not detect any, downloading the information-stealing component will commence.
Some of the confirmed processes that the downloader looks for are Charles, Fiddler, Wireshark, rpcapd, x96dbg, ollydbg, idag, and BurpSuite. The malware uses names like MicrosoftOfficeDashboard[.]exe and OfficeTemplate[.]exe to spoof the Microsoft Office component on the compromised system.
The researchers also revealed some of its confirmed capabilities like reading MachineGuid, Obtaining the IP address from AWS, retrieving the hostname, system info, and user info, and stealing data from Firefox and Thunderbird.
Furthermore, this infostealer could steal several critical data such as private keys from MobaXTerm, SSH known hosts, PuTTY data, and saved passwords.
The Graphiron infostealer could also use the PowerShell code to slight passwords from the Windows Vault, where saved credentials are encrypted. The malware uses AES encryption with hardcoded keys to contact its command-and-control server through port 443.
This ability has similar features to an old Nodaria malicious kit such as GrimPlant and GraphSteal.
Russian hackers have commonly delivered their payloads to targets using a spear-phishing campaign. Hence, this infostealer might have also come from a similar tactic.
The Graphiron infostealer is the latest inclusion to Russia’s cybersecurity assault against Ukraine. Therefore, Ukrainian organisations should expect more cyberattacks from Russian threat groups with various attack tools and malware strains.
