A recently discovered worm that researchers call LittleDrifter has been spreading over USB drives infecting systems in multiple countries as part of a campaign from the Gamaredon state-sponsored espionage group.
Malware researchers saw indications of compromise in the United States, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which suggests that the threat group lost control of LittleDrifter, which reached unintended targets.
LitterDrifter's indicative spread (Check Point)
According to research from Check Point, the malware is written in VBS and was designed to propagate through USB drives, as an evolution of Gamaredon's USB PowerShell worm.
Gamaredon, also known as Shuckworm, Iron Tilden, and Primitive Bear is a cyber espionage threat group associated with Russian that for at least a decade has targeted organizations in Ukraine from multiple sectors, including government, defense, and critical infrastructure.
LitterDrifter's purpose is to establish communications with the threat group's command and control (C2) server and to spread over USB drives.
To achieve its goal, the malware uses two separate modules, which are executed by the heavily obfuscated VBS component trash.dll.
LitterDrifter's execution scheme (Check Point)
LitterDrifter and all its components nest in the user's "Favorites" directory and establish persistence by adding scheduled tasks and registry keys.
The module responsible for propagation to other systems monitors for newly inserted USB drives and creates deceptive LNK shortcuts along with a hidden copy of the "trash.dll."
Infecting USB drives (Check Point)
The malware uses the Windows Management Instrumentation (WMI) management framework to identify target drives and creates shortcuts with random names to execute malicious scripts.
The spreader module code (Check Point) ..
Support the originator by clicking the read the rest link below.