A Russia-linked threat actor has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.
Researchers from Broadcom Symantec spotted a Russia-linked ATP group, tracked as Nodaria (aka UAC-0056), deploying new info-stealing malware, dubbed Graphiron, in attacks against Ukraine.
The Nodaria APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.
The Graphiron malware allows operators to harvest a wide range of information from the infected systems, including system info, credentials, screenshots, and files.
The malicious code is written in Go programming language, it was first observed in October 2022 and was involved in attacks since at least mid-January 2023.
Graphiron comprises two-stage components: a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).
The downloader contains hardcoded C2 server addresses. Upon execution, the downloader will check against a blacklist of malware analysis tools by checking for running processes’ specific names (i.e. BurpSuite, WinDump, dumpcap, etc). If none of the blacklisted processes are found, it will connect to a C&C server and download and decrypt the payload before adding it to autorun.
The experts pointed out that the downloader runs just once, if it fails will be no more executed.
“Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the “.lock” and “.trash” extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe and MicrosoftOfficeDashboard.exe” reads the analysis published by Symantec.
“The payload is capable of carrying out the following tasks:
Obtains the IP address from https://checkip.amazonaws.com
Retrieves the hostname, system info, and user info
Steals data from Firefox and Thunderbird
Steals private keys from MobaXTerm.
Steals SSH known hosts
Steals data from PuTTY
Steals stored passwords
Creates a directory
Lists a directory
Runs a shell command
Steals an arbitrary file
The malicious code uses a PowerShell command to steal passwords on the infected system.
The researchers highlighted similarities between Graphiron and older tools in the Nodaria’s arsenal, such as GraphSteel and GrimPlant.
The cyberespionage group Nodaria was linked to the WhisperGate wiper attacks against Ukrainian government computers and websites in January 2022.
The attack chain used by the APT group usually starts with spear-phishing messages, which are then used to deliver a malicious payload to victims. The list of custom tools used by the group includes:
Elephant Dropper: A dropper
Elephant Downloader: A downloader
SaintBot: A downloader
OutSteel: Information stealer
GrimPlant (aka Elephant Implant): Collects system information and maintains persistence
GraphSteel (aka Elephant Client): Information stealer
“While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.” Symantec concludes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Graphiron)
The post New Graphiron info-stealer used in attacks against Ukraine appeared first on Security Affairs.