LitterDrifter Powershell Worm Rapidly Spreads on USB Drives

Gamaredon (aka Primitive Bear, ACTINIUM, and Shuckworm) stands out in Russian espionage by exclusively targeting Ukrainian entities. Unusually evident, it challenges researchers seeking evidence of Russian activities.

The Russian FSB leads this group, as Ukraine’s SSU linked them, and it runs big regional ops. After major campaigns, they target specific data for espionage.


To keep access, they deploy tools like LitterDrifter, a VBS USB worm by Gamaredon. It spreads automatically and communicates with diverse command servers, ensuring persistent control across targets.

LitterDrifter, a self-propagating worm, appears as an evolved version linked to Gamaredon’s USB Powershell worm activity.

LitterDrifter Powershell

LitterDrifter spreads via drives and sets up a C2 channel to Gamaredon’s infrastructure. Its arrangement component, “trash.dll,” is deceptively named, and it is a VBS file.

Starting with trash.dll, it decodes and executes modules, ensuring initial persistence in the victim’s system.

Execution flow (Source – CheckPoint)

Here below, we have mentioned the two modules that are run on successful execution:-

  • Spreader module: The Spreader module works by going through subfolders repeatedly. As it does this, it creates decoy shortcuts called LNK and makes hidden copies of a file called “trash.dll”. By using WMI, it identifies USB drives that can be removed and checks if they have null values for their MediaType. For every identified drive, it executes the function “createShortcutsInSubfolders,” going through subfolders up to a depth of 2.
  • C2 Module: Gamaredon’s C&C method involves using domains as placeholders for actual IP addresses. Before contacting a C2 server, the script checks %TEMP% for an existing config file, verifying prior infection. If absent, it pings a Gamaredon domain, extracts the IP, and saves it to a new config file. LitterDrifter converts the IP into a URL format like:-

While the C2 communication uses a custom user-agent with machine info, resulting in a user-agent like this:-

DEOBFUSCODER, the obfuscated orchestration component in LitterDrifter, uses string-based character substitution and includes 7 mangled functions/variables. 

Moreover, a delayed execution function is run for a few seconds during the “Deobfuscate” operation.


Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

The planned obfuscation in the flow employs unclear names and inline scripting, challenging casual observers to interpret the:-

Fail count rises when C2 fails to yield payload or Telegram backup. If the Telegram channel ID is retrieved, it’s saved in a backup file as per code flow.

Gamaredon’s Telegram channel that conceals a C&C IP address (Source – CheckPoint)

LitterDrifter decodes the C2 payload that unveiled the base64 content. Besides this, the infrastructure of Gamaredon reveals the patterns in registration with REGRU-RU and .ru TLD.

Certain domains have been linked to LitterDrifter, while others have been associated with various Gamaredon clusters, reads Checkpoint report.

LitterDrifter appears to be a relatively simple malware that shares similarities with Gamaredon’s direct approach. It has proven to be highly efficient in carrying out various activities within Ukraine.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Source link