The newly discovered worm, which researchers have named LittleDrifter, spread via USB drives and infected systems in several countries as part of a campaign by state-sponsored espionage group Gamaredon.

Malware researchers have seen signs of compromise in the US, Ukraine, Germany, Vietnam, Poland, Chile and Hong Kong, suggesting the threat group has lost control of LittleDrifter reaching unintended targets. According to Check Point research, the malware was written in VBS and designed to be distributed via USB drives as an evolution of the Gamaredon USB PowerShell worm.

Gamaredon, also known as Shuckworm, Iron Tilden, and Primitive Bear, is a Russia-linked cyberespionage threat group that has been targeting organizations across multiple sectors, including government, defense, and critical infrastructure in Ukraine for at least a decade.

LitterDrifter details

LitterDrifter’s goal is to spread to USB drives by communicating with the threat group’s command and control server (C2). To achieve its goal, the malware uses two separate modules executed by a highly complex VBS component garbage.dll.

LitterDrifter and all its components are placed in the user’s Favorites directory and are protected by adding scheduled tasks and registry keys.

The module responsible for spreading to other systems monitors newly added USB drives and creates deceptive LNK shortcuts with a hidden copy of the “trash.dll” file.

The malware uses Windows Management Instrumentation (WMI) to identify target drives and creates shortcuts with arbitrary names to execute malicious scripts.

Researchers explain that Gamaredon uses domain names as placeholders for the IP addresses where C2 servers are located. From this perspective, the threat group has a “pretty unique” approach.

The malware looks for a configuration file in a temporary folder before trying to contact the C2 server. If no such file exists, LittleDrifter checks one of Gamaredon’s domains using a WMI query. The response to the request includes the IP address of the domain stored in the new configuration file.

Check Point notes that all domain names used by the malware are registered under “REGRU-RU” and use the “.ru” top-level domain, which is consistent with previous reports of Gamaredon activity. The typical lifetime of each IP address serving as C2 in LitterDrifter operations is approximately 28 hours, but addresses may change several times a day to avoid detection and blocking.

C2 can send additional payloads that LitterDrifter attempts to decode and execute on a compromised system. CheckPoint notes that in most cases, no additional data is downloaded, which may indicate that the attacks are highly targeted. As a fallback, the malware can also obtain C2’s IP address from the Telegram channel.

LitterDrifter is likely part of the first phase of the attack, trying to establish persistence on the compromised system and waiting for C2 to introduce new payloads to facilitate the attack. The malware stands out for its simplicity and does not rely on new methods, but it seems effective.

The Check Point report includes hashes of nearly two dozen LittleDrifter instances, as well as domain names associated with the Gamaredon infrastructure. Source