Russian Hackers Using Graphiron Malware to Steal Data from Ukraine

A
Russia-linked
threat
actor
has
been
observed
deploying
a
new
information-stealing
malware
in
cyber
attacks
targeting
Ukraine.

Dubbed

Graphiron
by
Broadcom-owned
Symantec,
the
malware
is
the
handiwork
of
an
espionage
group
known
as

Nodaria,
which
is
tracked
by
the
Computer
Emergency
Response
Team
of
Ukraine
(CERT-UA)
as
UAC-0056.

“The
malware
is
written
in
Go
and
is
designed
to
harvest
a
wide
range
of
information
from
the
infected
computer,
including
system
information,
credentials,
screenshots,
and
files,”
the
Symantec
Threat
Hunter
Team

said
in
a
report
shared
with
The
Hacker
News.

Nodaria
was

first
spotlighted
by
CERT-UA
in
January
2022,
calling
attention
to
the
adversary’s
use
of

SaintBot
and
OutSteel
malware
in
spear-phishing
attacks
targeting
government
entities.

The
group,
which
is
said
to
be
active
since
at
least
April
2021,
has
since

repeatedly

deployed
custom
backdoors
such
as

GraphSteel
and
GrimPlant
in
various
campaigns
since
Russia’s
military
invasion
of
Ukraine.
Select
intrusions
have
also
entailed
the
delivery
of

Cobalt
Strike
Beacon
for
post-exploitation.

Graphiron,
the
latest
program
added
to
the
group’s
arsenal,
is
an
improved
version
of
GraphSteel,
packing
in
features
to
run
shell
commands
and
harvest
system
information,
files,
credentials,
screenshots,
and
SSH
keys.

Another
notable
aspect
is
that
while
GraphSteel
and
GrimPlant
made
use
of
Go
version
1.16,
Graphiron
relies
on
version
1.18,
which

officially
shipped
in
March
2022.
This
also
suggests
that
Graphiron
is
a
more
recent
development.

Furthermore,
an
analysis
of
the
infection
chains
reveals
the
presence
of
two
stages,
a
downloader
that’s
responsible
for
retrieving
an
encrypted
payload
containing
the
Graphiron
malware
from
a
remote
server.

With
the
latest
findings,
Nodaria
joins
another
Russian
state-sponsored
group
referred
to
as

Gamaredon
in
extensively
singling
out
Ukraine.

“While
Nodaria
was
relatively
unknown
prior
to
the
Russian
invasion
of
Ukraine,
the
group’s
high-level
activity
over
the
past
year
suggests
that
it
is
now
one
of
the
key
players
in
Russia’s
ongoing
cyber
campaigns
against
Ukraine,”
Symantec
said.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts