Russian Cyber-espionage Group Deploys Information-stealing Malware in Ukrainian Regions
According to The Hacker News, Russia-linked cyber-threat actors have recently been discovered deploying information-stealing malware in a Ukrainian region. This attempt further reveals that the cyber-war between the two countries is still ongoing in 2023.
As per Symantec, the malware known as Dubbed Graphiron was written in Go programming language by a cyber-espionage group, Nodaria. It was disclosed that the Computer Response Team of Ukraine (CERT-UA) has tracked the Nodaria cyber-espionage group as UAC-0056.
The Symantec threat hunter team explained in a report that the malware was programmed to harvest a wide range of information from the infected computer. The information that can be harvested includes credentials, system information, screenshots, and files.
Activities of the Russian Cyber-espionage Group
According to reports, CERT-UA first spotted Nodaria in January 2022. The cyber-espionage group was found using SaintBot and OutSteel malware in spear phishing attacks against government agencies.
Since the Russia-Ukraine war started, Nodaria had been actively deploying custom backdoors such as GrimPlant and GraphSteel. The cyber-espionage group has also leveraged other tools such as Cobalt Strike Beacon to carry out post-exploitation.
Due to their previous operations, Symantec has concluded that the cyber-espionage group is one of the key players in Russia’s ongoing cyber-espionage campaigns against Ukraine. Additionally, Nodaria is collaborating with another notorious Russian cyber-espionage group known as Gamaredon in planning against Ukraine in particular.
What is Graphiron Malware?
Graphiron being the latest addition to their malware tools is an improved version of GraphSteel with newly added features. Graphiron is capable of running shell commands and harvesting system information, credentials, files, pictures, and SSH keys.
Another notable aspect is that Graphiron utilizes Go version 1.18, unlike GraphSteel and GrimPlant which still utilizes an older version which is Go 1.16. Using Go version 1.18 distinctly reveals how developed Graphiron malware is.
Nodaria leverages these tools along with Graphiron malware in conducting a successful cyberattack. Further analysis reveals that their exploitation with these tools has two stages in which a downloader will be crucially required for retrieving an encrypted payload containing Graphiron malware from a remote server.