This Cybersecurity Threat Advisory sheds light on a recently discovered USB worm identified as “LittleDrifter” has been attributed to the Russia-linked hacker group known as Gamaredon. The worm has spread beyond its presumed intended target, Ukraine, to other countries including the US, Germany, Vietnam, Poland, Chile, and Hong Kong, giving the very unfortunate implication the threat group lost control of their own malware.
What is the threat?
LittleDrifter is a self-propagating USB worm developed as one of many tools as part of Russia’s ongoing efforts to compromise Ukraine targets and maintain access to their network. LittleDrifter is written in VBScript and contains two primary functions. One is to automatically spread to other USB drives, and the other is to communicate with command-and-control (C2) servers. The worm can also execute payloads received from the C2.
Why is it noteworthy?
LittleDrifter is a worm that appears surprisingly simplistic and unsophisticated in its design b. However, it is nonetheless extremely effective. LittleDrifter is likely used as the first part of a wider attack to establish persistence on the compromised system, waiting for the C2 to deliver new payloads and widen the attack.
What is the exposure or risk?
The LittleDrifter worm monitors other systems for newly inserted USB drives. This creates a deceptive LNK shortcuts along with a hidden copy of the “trash.dll.” The malware uses the framework Windows Management Instrumentation (WMI) to identify target drives to execute malicious scripts. The hacker group Gamaredon stands out by exclusively targeting Ukrainian entities.
What are the recommendations?
Barracuda MSP recommends the following actions in mitigating the damage caused by the LittleDrifter USB malware:
- Use and keep an encrypted flash drive.
- Utilize Barracuda XDR Managed Endpoint Security service to perform scans on USB drives for potential threats, ensuring real-time protection capabilities to detect and prevent such threats.
- Create a safelist for only removable devices that you trust.
For more in-depth information on the recommendations, please visit the following links:
- Gamaredon’s LittleDrifter USB malware spreads beyond Ukraine (bleepingcomputer.com)
- Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine – SecurityWeek
- How To Protect Computers from Infected USB Devices (systweak.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.