A
Russia-linked
threat
actor
has
been
observed
deploying
a
new
information-stealing
malware
in
cyber
attacks
targeting
Ukraine.
Dubbed
Graphiron
by
Broadcom-owned
Symantec,
the
malware
is
the
handiwork
of
an
espionage
group
known
as
Nodaria,
which
is
tracked
by
the
Computer
Emergency
Response
Team
of
Ukraine
(CERT-UA)
as
UAC-0056.
“The
malware
is
written
in
Go
and
is
designed
to
harvest
a
wide
range
of
information
from
the
infected
computer,
including
system
information,
credentials,
screenshots,
and
files,”
the
Symantec
Threat
Hunter
Team
said
in
a
report
shared
with
The
Hacker
News.
Nodaria
was
first
spotlighted
by
CERT-UA
in
January
2022,
calling
attention
to
the
adversary’s
use
of
SaintBot
and
OutSteel
malware
in
spear-phishing
attacks
targeting
government
entities.
The
group,
which
is
said
to
be
active
since
at
least
April
2021,
has
since
repeatedly
deployed
custom
backdoors
such
as
GraphSteel
and
GrimPlant
in
various
campaigns
since
Russia’s
military
invasion
of
Ukraine.
Select
intrusions
have
also
entailed
the
delivery
of
Cobalt
Strike
Beacon
for
post-exploitation.
Graphiron,
the
latest
program
added
to
the
group’s
arsenal,
is
an
improved
version
of
GraphSteel,
packing
in
features
to
run
shell
commands
and
harvest
system
information,
files,
credentials,
screenshots,
and
SSH
keys.
Another
notable
aspect
is
that
while
GraphSteel
and
GrimPlant
made
use
of
Go
version
1.16,
Graphiron
relies
on
version
1.18,
which
officially
shipped
in
March
2022.
This
also
suggests
that
Graphiron
is
a
more
recent
development.
Furthermore,
an
analysis
of
the
infection
chains
reveals
the
presence
of
two
stages,
a
downloader
that’s
responsible
for
retrieving
an
encrypted
payload
containing
the
Graphiron
malware
from
a
remote
server.
With
the
latest
findings,
Nodaria
joins
another
Russian
state-sponsored
group
referred
to
as
Gamaredon
in
extensively
singling
out
Ukraine.
“While
Nodaria
was
relatively
unknown
prior
to
the
Russian
invasion
of
Ukraine,
the
group’s
high-level
activity
over
the
past
year
suggests
that
it
is
now
one
of
the
key
players
in
Russia’s
ongoing
cyber
campaigns
against
Ukraine,”
Symantec
said.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.