iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have uncovered a new malware tool in the repertoire of pro-Russian hacking group Nodaria.
The malware, called Graphiron, is a versatile info stealer written in Google’s Go language. It was first observed in October 2022 and last seen this year in January, suggesting the malware is still very much in use.
Graphiron operates in two stages, according to researchers at Symantec. A downloader is first introduced to a system via a spear phishing attack, which scans for a range of malware analysis tools before downloading the actual info stealer portion of the malware from hardcoded command and control servers.
However, if the downloader detects any analysis tool, it simply stops operating without trying to make any further contact with C&C infrastructure. Once the info stealer is successfully installed, it masquerades as two Microsoft .exe files: MicrosoftOfficeDashboard.exe and OfficeTemplate.exe.
Graphiron can steal passwords via a PowerShell command, and in addition, it can steal data from Thunderbird and Firefox, retrieve hostname as well as system and user info, gather IP addresses, take screenshots, and steal files.
The malware is the latest in a line of tools made by Nodaria, but with far more malicious functionality.
Who is Nodaria?
Nodaria has been active since March 2021, and while its focus is on targets in Ukraine, it’s also reported to have operated against Kyrgyzstan and Georgia.
“The group sprang to public attention when it was linked to the WhisperGate wiper attacks that hit multiple Ukrainian government computers and websites in January 2022,” Symantec’s Threat Hunter Team said in a blog post. WhisperGate purported to be ransomware, but instead it wiped files entirely, despite promising that files could be restored by paying a US$10 million ransom in bitcoins.
The group has used spear phishing campaigns to deliver at least six previous malware tools, the majority of which were also written in Go, with Graphiron using a more up-to-date version of the language, making it a more recent project.
“While Nodaria was relatively unknown prior to the Russian invasion of Ukraine,” Symantec concludes, “the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
