USB Worm Unleashed By Russian State Hackers Spreads Worldwide

An anonymous reader quotes a report from Ars Technica: A group of Russian-state hackers known for almost exclusively targeting Ukranian entities has branched out in recent months either accidentally or purposely by allowing USB-based espionage malware to infect a variety of organizations in other countries. The group -- known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm -- has been active since at least 2014 and has been attributed to Russia's Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn't care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.

One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command and control servers. "Gamaredon continues to focus on [a] wide variety [of] Ukrainian targets, but due to the nature of the USB worm, we see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and Germany," Check Point researchers reported recently. "In addition, we've observed evidence of infections in Hong Kong. All this might indicate that much like other USB worms, LitterDrifter [has] spread beyond its intended targets."

The image [here], tracking submissions of LitterDrifter to the Alphabet-owned VirusTotal service, indicates that the Gamaredon malware may be infecting targets well outside the borders of Ukraine. VirusTotal submissions usually come from people or organizations that encounter unfamiliar or suspicious-looking software on their networks and want to know if it's malicious. The data suggests that the number of infections in the US, Vietnam, Chile, Poland, and Germany combined may be roughly half of those hitting organizations inside Ukraine.

A 2002 tactic is considered news today

[dknj]

Those two functionalities reside within an orchestration component saved to disk as “trash.dll”, which is actually a VBS, despite its file extension name.

More importantly is how many people have been pwned by this. Why are we opening random files on random USB sticks again?

Re:A 2002 tactic is considered news today

[HBI]

The reason why state sponsored groups are fond of this tactic is that it's an end run around air gapped networks. The trick is to stash data on the drive and wait until it appears on a host connected to the internet, then deposit payload. It seems crude but it's very effective to its purpose.

Re:A 2002 tactic is considered news today

[balexis]

This particular attack has nothing to do with air-gapped networks, but you're right in that usb drives are used this way. In fact, they are the one and only communication method ever used to jump air-gaps in real attacks (at least that have been publicly reported). Plenty of other theoretical methods have been demonstrated though Dropping this exhaustive analysis here in case anyone's interested in this topic: https://www.welivesecurity.com... [welivesecurity.com]

Re:

[HBI]

Stuff like this [wikipedia.org] is why the USB sticks have been the most effective of all the tools created. This is one case where rules are actually useful.

Re:

[jmccue]

Does windows still do auto-mount and auto-run on USB Drives ?

Also I am rather sure these worms are Windows specific, I saw nothing in the article. But with M/S WSL push, I can see a time when fat binaries will be "created" that will run on Linux and Windows. If so, I hope the Linux Foundation dis-allows that.

Re:

[quonset]

Does windows still do auto-mount and auto-run on USB Drives ?

Auto-mount, yes. Nothing runs as far as I can remember, though you can set it to do something when you do mount it.

Re:

[knoledgesponge]

USB isn't a dangerous vector because of random thumb drives people receive in the mail. It is the perception of safety when sharing with people we know.

Re:A 2002 tactic is considered news today

[balexis]

The trick is that the spreader component infects newly inserted USB drives and creates shortcuts (.lnk) files with the same filename & icon of the legitimate files. End users don't end up opening "unknown files", they think they are opening files that they expected to be on the drive.

Re:A 2002 tactic is considered news today

[znrt]

this made me wonder what exactly the scheme was to mislead the user (did they replace the originals? hidden files? duplicates?). so i checked out the article and it turns out that's not how it works at all:

These shortcuts are LNK files that are given random names chosen from an array in the code. This is an example of the lure’s names from an array in one of the samples that we investigated:("Bank_accunt", "a", "Bank_accunt", "a", "cmpromising_evidence"). The LNK files use wscript.exe **** to execute “trash.dll” with specified arguments " ""trash.dll"" /webm //e:vbScript //b /wm /cal ". In addition to generating the shortcut, the function also creates a hidden copy of “trash.dll” in the subfolder.

so this is indeed very old news. how shocking.

Re:

[The-Ixian]

What admin would allow random executables to be run from removable media in 2023? There is no possible good outcome from allowing that...

Re:

[itsme1234]

Nowadays you can get pawned by something that looks like a USB drive but it's emulating a keyboard, which you don't need to authorize in Windows, it "just works" when you plug it in and it runs whatever it's set to run by giving some sequence of keystrokes.

Guess which OS runs stuff out of removable media

[Rosco P. Coltrane]

willy-nilly, allowing stupid USB drive-based worms to exist at all?

Re:

[jbmartin6]

You are going to hurt yourself jerking your knee around like that. This one works by tricking users into running it, which could happen on any OS.

Re:

[ArchieBunker]

I guarantee if linux had an 85% market share we’d see the same thing.

Re:

[gtall]

You cannot guarantee squat.

Re:

[ledow]

Linux runs on millions of Chromebooks and billions of smartphones.

Yet to see an "autoplay" attack on either.

Re:

[drinkypoo]

I guarantee if linux had an 85% market share weâ(TM)d see the same thing.

You wouldn't, because Linux doesn't run stuff on inserted removable media by default.

Also, if Linux had an 85% market share then there would be enough investment to more aggressively hunt bugs. Right now it has to make do with a small percentage of that, and yet it's still generally higher quality and more secure than the alternatives.

Re:

[ArchieBunker]

It doesn’t have to auto run anything. You write an official looking program from Sandisk that asks for your sudo password to decrypt the drive. People will fall for that.

Re: Guess which OS runs stuff out of removable med

[drinkypoo]

If it doesn't auto run then the user is not going to see your trojan.

Re:

[tlhIngan]

You wouldn't, because Linux doesn't run stuff on inserted removable media by default.

Who said you need auto-run? There are attacks you can do with any USB device that are extremely hard to defend against.

Picture a USB device that has two interfaces - a USB HID and a USB storage. Shove the USB device in, and you see the storage device as expected. But the USB HID device gets activated and can pretend to be a mouse and/or keyboard and you have an attack vector.

Add a little intelligence, you can detect which O

Re:

[drinkypoo]

That's a fair response, and I have yet to find a friendly interface to usbguard. It used to have one, but it was deprecated (suspect it was unmaintained, haven't looked into it.)

Not a worm

[djgl]

Anyone else annoyed that they call it a worm and not a virus?
It doesn't infect other computers over the network.
It needs humans to carry it on a usb drive to another computer.

Re:

[crow]

Yes. This is exactly like the old floppy disk viruses. I remember getting the Stoned virus at one point way back when.

Re:

[Gravis Zero]

Sorry but that's not right. Computer viruses spread by infecting/modifying files and waiting for distribution. Computer worms spread by utilizing storage or network devices. This particular worm does not infect any files but propagates via USB.

Incorrect.

[Gravis Zero]

They specifically called it a USB worm which is accurate because it utilizes USB devices for transport. This is different from a network worm which utilize networks for transport.

See also: https://en.wikipedia.org/wiki/... [wikipedia.org]

God damn

[ThurstonMoore]

Dickhead Russians.

Re:

[Opportunist]

Funny, my grandpa said something like that when he was near Stalingrad...

VBScript? Seriously?? That's lamea55hackage

[mnemotronic]

What sort of script kiddies still use VB Script? I might be worng but I would have thought that most organizations would have GP policies that prevent users from running CSCRIPT or WSCRIPT.

Re:

[bill_mcgonigle]

You don't believe "the news", now do you?

Of course it's script kiddies, not Russians.

Batter article:

[Gravis Zero]

Check Point Research has a more in-depth look at LitterDrifter malware: https://research.checkpoint.co... [checkpoint.com]

Brought to you by the makers of Windows

[RogueWarrior65]

Microsoft is single-handedly responsible for a whole lot of GDP-killing garbage. Why should anyone let them anywhere near AI?