The Russian state-affiliated hacker group, known by various aliases including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm, has broadened its cyber espionage efforts beyond its initial focus on Ukraine, as per reporting by Computing. This expansion has been marked by the global spread of a USB-based malware known as LitterDrifter.

Historically linked to Russia’s Federal Security Service by Ukraine’s Security Service, Gamaredon has been active since 2014. Their operations have predominantly targeted Ukrainian organizations to collect comprehensive data through various malware tools, with LitterDrifter being a notable example. This particular malware is a computer worm developed in Visual Basic Scripting language.

The mechanics of LitterDrifter’s spread

The primary mechanism of LitterDrifter involves propagation through USB drives, leading to the persistent infection of devices. These infected devices then communicate with servers controlled by Gamaredon. Check Point Research has noted that LitterDrifter has inadvertently or intentionally spread to several countries, including the USA, Vietnam, Chile, Poland, Germany, and Hong Kong.

LitterDrifter rapidly replicates, a trait typical of computer worms. Its self-replicating nature mirrors significant cyber threats like Stuxnet, but it stands out with its USB-based activation, similar to worms like NotPetya and WannaCry.

The spreading mechanism of LitterDrifter involves creating deceptive shortcut files (LNK) and hidden instances of a file named “trash.dll” on removable USB drives. It uses Windows Management Instrumentation to scan a computer’s logical drives, specifically targeting removable USB drives identified by a null MediaType value. The worm then infiltrates subfolders on these drives, generating shortcuts that aid in disseminating the malware.

The global spread of LitterDrifter signifies a worrying escalation in cyber espionage capabilities, highlighting the ongoing threat posed by state-affiliated hacking groups. The ease with which this malware spreads via USB drives emphasizes the importance of robust cybersecurity practices and awareness, particularly for organizations that handle sensitive data. As cyber threats continue to evolve, staying ahead of such risks is crucial for maintaining global cybersecurity integrity.

Maxwell Nelson

Freelance Journalist

Maxwell Nelson, a seasoned crypto journalist and content strategist, has notably contributed to industry-leading platforms such as Cointelegraph, OKX Insights, and Decrypt, weaving complex crypto narratives into insightful articles that resonate with a broad readership.