A Russian hacking group known as Nodaria (UAC-0056) is using a new data-stealing malware called Graphiron to steal data from Ukrainian organizations. Go-based malware can collect a wide variety of information, including account credentials, system and application data. The malware will also take screenshots and extract files from compromised machines. Symantec’s threat research team discovered that Nodaria used Graphiron for attacks from at least October 2022 to mid-January 2023.

Stealing confidential information

Graphiron consists of a bootloader and an additional information stealing payload. Once the downloader is launched, it will check for various security software and malware analysis tools, and if none is found, it will download the stealing component. Some of the processes that the bootloader controls are BurpSuite, Charles, Fiddler, rcapd, smsniff, Wireshark, x96dbg, ollydbg and idag.

The malware uses names like OfficeTemplate.exe and MicrosoftOfficeDashboard.exe to look like a Microsoft Office component on a compromised system.

Its abilities include:

• Read MachineGuid
• Get your IP address from https://checkip.amazonaws.com.
• Get hostname, system information and user information
• Stealing data from Firefox and Thunderbird
• Steal private keys from MobaXTerm.
• Hijack known SSH hosts
• Stealing data from PuTTY
• Steal saved passwords
• take screenshot
• create a directory
• directory listing
• Run a shell command
• Play any file

The malware uses the following PowerShell code to steal passwords from the Windows vault built into the system’s password manager, where stored credentials are stored in AES-256 encrypted format.

Graphiron uses AES encryption with hardcoded keys to communicate with the C2 server over port 443, which is a notable similarity to older Nodaria tools like GraphSteal and GrimPlant.

Nodaria targets Ukraine

Nodaria is the same threat actor that launched devastating data destruction attacks in January 2022 by placing fake ransomware called “WhisperGate” on Ukrainian networks. Russian hackers often deliver their exploits to their targets via phishing emails, and the ongoing war offers many opportunities to set up an effective trap.