Gamaredon’s LittleDrifter is a recently identified worm spreading through USB drives in Ukraine.
However, new reports claimed that this malicious tool has now been infecting systems in various countries as part of the state-sponsored group’s espionage operations. Researchers have observed signs of compromise in the United States, Germany, Vietnam, Poland, Chile, and Hong Kong.
On the other hand, some researchers believe these infections indicate that the Gamaredon threat group may have lost control of LittleDrifter, distributing it to unintended targets. Gamaredon is a notorious Russian-backed cybercrime group that targets organisations in Ukraine across different sectors such as government, defence, and critical infrastructure.
LittleDrifter could successfully execute its tasks by communicating with its operators.
According to investigations, LittleDrifter operates by establishing communication with the operator’s command and control (C2) server and distributing through USB drives. Moreover, this malware uses two distinct modules executed by an obfuscated VBS component trash.dll.
The malicious tool stores all its components in the infected user’s “Favorites” directory, ensuring persistence by adding scheduled tasks and registry keys. Subsequently, it monitors newly inserted USB drives to propagate to other systems, creating deceptive LNK shortcuts and a hidden copy of “trash.dll.”
It also could employ the Windows Management Instrumentation (WMI) management framework to identify target drives and generate shortcuts with random names to run malicious scripts.
Furthermore, Gamaredon employs domains as placeholders for C2 server IP addresses. Before contacting the C2 server, LittleDrifter searches the temporary folder for a configuration file. If none exists, the malware pings one of Gamaredon’s domains using a WMI query. The reply to the query contains the domain’s IP address, which the malware will save to a new configuration file.
The attack also registers all domains LittleDrifter uses under ‘REGRU-RU’ and utilises the ‘.ru’ top-level domain. The lifespan of each command-and-control IP address in LittleDrifter operations is approximately 28 hours, with daily changes to bypass security detection and blocking.
LittleDrifter does not download other payloads even though the C2 may send additional payloads, indicating that the campaign is a highly targeted attack. Lastly, the malware can retrieve the C2 IP address from a Telegram channel as a backup option.
Researchers explained that the malicious tool could be the initial stage of an attack since it focuses on establishing persistence and waits for new payloads from the C2 to advance the attack. As of now, it has been proven effective despite its straightforwardness and lack of unique techniques.
Organisations globally should be ready for the threat posed by this malware.