Ukrainian organizations have been targeted by Russian state-sponsored hacking operation Gamaredon, also known as Iron Tilden, Aqua Blizzard, Shuckworm, Primitive Bear, and Winterflounder, with the LitterDrifter USB worm in new cyberespionage attacks, The Hacker News reports.
Malware is being distributed by the LitterDrifter worm through a concealed file in a USB drive accompanied by a fraudulent LNK file before deploying "trash.dll" for initial orchestration, according to a Check Point report. LitterDrifter was also noted to have facilitated communications with Telegram channel-extracted command-and-control servers since the beginning of 2023.
While Ukraine-based entities are the primary target of LitterDrifter, evidence of potential USB worm compromise have been observed in the U.S., Chile, Germany, Poland, and Vietnam.
"It's clear that LitterDrifter was designed to support a large-scale collection operation. It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region," said Check Point researchers.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.