Russia's Sinister LitterDrifter Malware That Spies On Ukraine Worms Into The US

russian fsb behind litterdrifter usb worm intelligence campaign
The Russian espionage machine is both vast and prolific, as shown by a recent Russian code outbreak making its way into U.S. government systems. With the war in Ukraine in full swing, this behemoth of a program is not only throwing tools and resources at Ukraine, but is also driving its efforts into other countries, such as the United States. This problematic activity is how researchers at Check Point discovered LitterDrifter, a USB-propagating worm that has seen a rise in Ukraine as well as the United States.

Gamaredon, alternatively known as Primitive Bear, ACTINIUM, and Shuckworm is a Russian-backed threat group comprising of personnel from the Russian Federal Security Service (FSB). This group is primarily oriented to run large-scale espionage campaigns against Ukraine and Ukrainian entities, though they are not limited there. As of late, the group has been tied to a new USB propagating worm, which has been dubbed by researchers at Check Point LitterDrifter.

flow russian fsb behind litterdrifter usb worm intelligence campaign

LitterDrifter is a worm written in Visual Basic Script (VBS) which has two main functions, spread over USB drives, and communicate with a vast command-and-control (C2) network. Per the Check Point report, this C2 network is rather broad and flexible, with features that “are implemented in a manner that aligns with the group’s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets.”

c2 russian fsb behind litterdrifter usb worm intelligence campaign
The worm can reach out to a threat-actor controlled Telegram server to get a new C2 ip address.

Diving into the more technical pieces of this worm, the malware has an “orchestration component” to accomplish the two main functions, all of which are contained within TRASH.DLL. This “DLL,” which is actually a VBS, establishes persistence and communications, the latter of which is actually quite interesting. The researchers explain that the C2 communication function has a fail counter that allows the worm to change how it communicates with the C2 network or get a new C2 server entirely.

While it is explained that the malware is “relatively unsophisticated” and uses simple, effective techniques, evidently, “it was designed to support a large-scale collection operation.” This is likely part of a broader cybersecurity campaign in Ukraine with the ongoing war, and there are potentially other campaigns just like this. However, with LitterDrifter’s discovery, the game of whack-a-bear played with Russian intelligence agencies continues.