Russian Hackers Using Graphiron Malware to Steal Data from Ukraine

Feb 08, 2023Ravie LakshmananThreat Intelligence / Data Safety

A Russia-linked threat actor has been observed deploying a new
information-stealing malware in cyber attacks targeting
Ukraine.

Dubbed Graphiron by Broadcom-owned Symantec, the malware
is the handiwork of an espionage group known as
Nodaria, which is tracked by the Computer
Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.

“The malware is written in Go and is designed to harvest a wide
range of information from the infected computer, including system
information, credentials, screenshots, and files,” the Symantec
Threat Hunter Team said ^[1]
in a report shared with The Hacker News.

Nodaria was first spotlighted ^[2]
by CERT-UA in January 2022, calling attention to the adversary’s
use of SaintBot and OutSteel malware ^[3] in spear-phishing
attacks targeting government entities.

The group, which is said to be active since at least April 2021,
has since repeatedly ^[4]
deployed ^[5] custom backdoors such as
GraphSteel and
GrimPlant ^[6] in various campaigns
since Russia’s military invasion of Ukraine. Select intrusions have
also entailed the delivery of Cobalt Strike
Beacon ^[7] for
post-exploitation.

Graphiron, the latest program added to the group’s arsenal, is
an improved version of GraphSteel, packing in features to run shell
commands and harvest system information, files, credentials,
screenshots, and SSH keys.

Another notable aspect is that while GraphSteel and GrimPlant
made use of Go version 1.16, Graphiron relies on version 1.18,
which officially shipped ^[8]
in March 2022. This also suggests that Graphiron is a more recent
development.

Furthermore, an analysis of the infection chains reveals the
presence of two stages, a downloader that’s responsible for
retrieving an encrypted payload containing the Graphiron malware
from a remote server.

With the latest findings, Nodaria joins another Russian
state-sponsored group referred to as Gamaredon ^[9]
in extensively singling out Ukraine.

“While Nodaria was relatively unknown prior to the Russian
invasion of Ukraine, the group’s high-level activity over the past
year suggests that it is now one of the key players in Russia’s
ongoing cyber campaigns against Ukraine,” Symantec said.

Found this article interesting? Follow us on Twitter ^[10] and LinkedIn ^[11] to read more exclusive
content we post.

References

^{^}
said
(symantec-enterprise-blogs.security.com)
^{^}
first spotlighted
(cert.gov.ua)
^{^}
SaintBot and OutSteel malware
(cert.gov.ua)
^{^}
repeatedly
(cert.gov.ua)
^{^}
deployed
(cert.gov.ua)
^{^}
GraphSteel and GrimPlant
(cert.gov.ua)
^{^}
Cobalt
Strike Beacon (cert.gov.ua)
^{^}
officially shipped
(go.dev)
^{^}
Gamaredon
(thehackernews.com)
^{^}
Twitter 
(twitter.com)
^{^}
LinkedIn
(www.linkedin.com)