The Russian hacking group known as ‘Nodaria’ (UAC-0056) is using a new information-stealing malware named ‘Graphiron’ to steal data from Ukrainian organizations.
The Go-based malware can gather a wide range of information, including account credentials, system, and app data. The malware can also capture screenshots and exfiltrate files from compromised machines.
The threat research team of Symantec discovered that Nodaria has been using Graphiron in attacks since at least October 2022 through mid-January 2023.
Graphiron consists of a downloader and a secondary information-stealing payload. When launched, the downloader will check for various security software and malware analysis tools, and if none are detected, the information-stealing component is downloaded.
Some of the processes the downloader checks for include BurpSuite, Charles, Fiddler, rpcapd, smsniff, Wireshark, x96dbg, ollydbg, and idag.
The malware uses names such as OfficeTemplate.exe and MicrosoftOfficeDashboard.exe to disguise as a Microsoft Office component on the breached system.
Graphiron uses AES encryption with hardcoded keys to communicate with the C2 server through port 443, which is similar to older Nodaria tools like GraphSteal and GrimPlant.
Nodaria is the same threat actor that deployed a fake ransomware named ‘WhisperGate’ on Ukrainian networks in January 2022, performing destructive data-wiping attacks.
While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine
Graphiron is the latest addition to Nodaria’s arsenal, that combines the features of its earlier custom tools into a single payload while also introducing obfuscation.
Image Credits : The Conversation