LitterDrifter蠕虫：USB传播与C&C通信的双重特性

Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities.

观察到与俄罗斯联邦安全局（FSB）有关的网络间谍行动使用名为LitterDrifter的USB传播蠕虫，针对乌克兰实体进行攻击。

Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are followed by "data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals."

Check Point详细介绍了与Gamaredon（又称Aqua Blizzard、Iron Tilden、Primitive Bear、Shuckworm和Winterflounder）相关的最新战术，将该组织定义为参与大规模活动，随后进行"旨在实现间谍目标的数据收集努力"。

The LitterDrifter worm packs in two main features: automatically spreading the malware via connected USB drives as well as communicating with the threat actor's command-and-control (C&C) servers. It's also suspected to be an evolution of a PowerShell-based USB worm that was previously disclosed by Symantec in June 2023.

LitterDrifter蠕虫具有两个主要特征：通过连接的USB驱动器自动传播恶意软件以及与威胁行为者的命令和控制（C&C）服务器通信。它还被怀疑是先前由Symantec在2023年6月披露的基于PowerShell的USB蠕虫的演变。

Written in VBS, the spreader module is responsible for distributing the worm as a hidden file in a USB drive together with a decoy LNK that's assigned random names. The malware gets its name LitterDrifter owing to the fact that the initial orchestration component is named "trash.dll."

以VBS编写的传播模块负责将蠕虫作为隐藏文件一同放置在USB驱动器中，还包括一个分配随机名称的诱饵LNK。该恶意软件之所以被命名为LitterDrifter，是因为初始的编排组件被命名为"trash.dll"。

"Gamaredon's approach towards the C&C is rather unique, as it utilizes domains as a placeholder for the circulating IP addresses actually used as C2 servers," Check Point explained.

"Gamaredon对C&C的方法非常独特，因为它使用域作为循环IP地址的占位符，实际用作C2服务器。" Check Point解释说。

LitterDrifter is also capable of connecting to a C&C server extracted from a Telegram channel, a tactic it has repeatedly put to use since at least the start of the year.

LitterDrifter还能够连接到从Telegram频道提取的C&C服务器，这是一种自2023年初以来一直在使用的策略。

The cybersecurity firm said it also detected signs of possible infection outside of Ukraine based on VirusTotal submissions from the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.

该网络安全公司表示，还根据来自美国、越南、智利、波兰、德国和香港的VirusTotal提交检测到可能在乌克兰以外地区的感染迹象。

Gamaredon has had an active presence this year, while continuously evolving its attack methods. In July 2023, the adversary's rapid data exfiltration capabilities came to light, what with the threat actor transmitting sensitive information within an hour of the initial compromise.

Gamaredon在今年一直保持活跃，不断发展其攻击方法。2023年7月，对手的快速数据外泄能力浮出水面，威胁行为者在初始威胁后一小时内传输敏感信息。

"It's clear that LitterDrifter was designed to support a large-scale collection operation," the company concluded. "It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region."

"很明显，LitterDrifter被设计成支持大规模的收集操作。" 该公司总结道。"它利用简单而有效的技术，确保能够覆盖该地区最广泛的目标集。"

The development comes as Ukraine's National Cybersecurity Coordination Center (NCSCC) revealed attacks orchestrated by Russian state-sponsored hackers targeting embassies across Europe, including Italy, Greece, Romania, and Azerbaijan.

这一发展发生在乌克兰国家网络安全协调中心（NCSCC）披露俄罗斯国家支持的黑客针对欧洲多国大使馆的攻击，包括意大利、希腊、罗马尼亚和阿塞拜疆。

The intrusions, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), involve the exploitation of the recently disclosed WinRAR vulnerability (CVE-2023-38831) via benign-looking lures that claim to offer BMWs for sale, a theme it has employed in the past.

这些入侵被归因于APT29（又称BlueBravo、Cloaked Ursa、Cozy Bear、Iron Hemlock、Midnight Blizzard和The Dukes），涉及最近披露的WinRAR漏洞的利用，通过声称提供出售BMW的外表诱饵进行。

The attack chain commences with sending victims phishing emails containing a link to a specially crafted ZIP file that, when launched, exploits the flaw to retrieve a PowerShell script from a remote server hosted on Ngrok.

攻击链始于向受害者发送包含指向特制ZIP文件的网络钓鱼电子邮件，启动该文件后，利用漏洞从Ngrok上托管的远程服务器检索PowerShell脚本。

"A concerning trend of exploiting CVE-2023-38831 vulnerability by Russian intelligence services hacking groups demonstrates its growing popularity and sophistication," NCSCC said.

"俄罗斯情报机构黑客组织利用CVE-2023-38831漏洞进行攻击的令人担忧趋势表明其日益普及和复杂化。" NCSCC表示。

Earlier this week, the Computer Emergency Response Team of Ukraine (CERT-UA) unearthed a phishing campaign that propagates malicious RAR archives that masquerades as a PDF document from the Security Service of Ukraine (SBU) but, in reality, is an executable that leads to the deployment of Remcos RAT.

本周早些时候，乌克兰计算机应急响应团队（CERT-UA）发现了一场网络钓鱼活动，传播伪装成乌克兰安全局（SBU）PDF文档的恶意RAR存档，实际上是导致Remcos RAT部署的可执行文件。

CERT-UA is tracking the activity under the moniker UAC-0050, which was also linked to another spate of cyber attacks aimed at state authorities in the country to deliver Remcos RAT in February 2023.

CERT-UA正在以UAC-0050为代号跟踪此活动，该活动还与2023年2月针对该国政府机构进行的另一波网络攻击有关，以在2023年2月传递Remcos RAT。

原文始发于微信公众号（知机安全）：LitterDrifter蠕虫：USB传播与C&C通信的双重特性