Background
Traditionally, USB worms were designed to attack specific targets or systems. However, it is highly contagious because it can spread anywhere by jumping onto any removable storage device it could find. Due to its propensity for propagation, it often goes beyond the scope of what was originally intended by bad actors, leading to a much wider impact and greater consequences. According to Check Point Research, Gamaredon (also known as Primitive Bear, ACTINIUM, and Shuckworm), which is considered to be one of the most conspicuous Russian spy organizations, primarily targets entities in Ukraine. Recently, they have started deploying LitterDrifter, a worm written in VBS (Visual Basic Script), with two main functions: 1. Autonomous propagation through USB drives; 2. Communicating with a wide, flexible collection of command and control (C2) servers. Due to the nature of USB worms, signs of possible infections have been detected in various countries, including the USA, Vietnam, Chile, Poland, and Germany, suggesting that LitterDrifter, like other USB worms, has spread beyond its intended targets to a global scale.
LitterDrifter Overview
LitterDrifter is a malicious computer worm with the following two main functions:
- Self-propagation: Capable of spreading itself across different computer USBs.
- Establishing C2 Channels: Establishing communication channels with the command and control infrastructure of the Gamaredon attackers.
These functions are hidden in a component named trash.dll, which is actually a VBS (Visual Basic Script) script. The primary mechanism of the malicious program is that when LitterDrifter is executed, it first activates trash.dll, whose main role is to decode and execute other hidden malicious components, maintaining persistence in the victim’s computer environment.
In the decoding process, the “trash.dll” component then obfuscates data by using character substitution techniques. It contains multiple functions and variables, whose names have been encrypted. This not only evades some antivirus software detection but also increases the complexity of reverse engineering, making the analysis and understanding of the malware more difficult. Additionally, they also have a decoding function, capable of taking two encrypted strings as input and decoding them for storage, achieving delayed execution to hide subsequent damaging operations.
The “trash.dll” is also adept at hiding and disguising itself. To maintain activity in the system, it hides a copy of itself in a hidden file in the user directory. Then, to ensure the malicious program can continue to operate in the system, it creates scheduled tasks set to automatically execute at specific times, upon login, or other trigger conditions. It can also use registry startup items, adding the malware to these startup items, ensuring that the malicious software automatically starts every time the computer is booted.
How does it achieve its self-propagation function? Mainly by using Windows management tools to query USB drives, prioritizing infection of logical disks with mediatype=NULL (usually associated with USB removable media) to spread to other environments. Then, it creates shortcuts (LNK files) in the subfolders of each drive. In addition to generating shortcuts, this feature also creates a hidden copy of “trash.dll” in the subfolders.
Another module’s function is to establish communication with Gamaredon’s C&C servers. LitterDrifter’s C2 module uses a unique method, utilizing domain names as placeholders to cyclically use actual IP addresses of C2 servers. The specific process includes:
- Checking whether a specific configuration file exists.
- Using Windows Management Instrumentation (WMI) queries to obtain and save the C2 server’s IP address.
- Establishing communication with the C2 server through a specific format URL.
Before attempting to contact the C2 server, the script first checks in the %TEMP% folder for the existence of a C2 configuration file with a meaningless name, hard-coded in the malware. If this configuration file exists, it indicates that the computer has been infected. If not, the malware will use a WMI query to ping a certain Gamaredon domain name, and thereby obtain the IP address resolved from the domain name and save it to a new configuration file.
Implications for OT Environments
LitterDrifter is a complex piece of malware with functions such as self-propagation and establishing communication channels with C2 infrastructures, posing significant threats to Operational Technology (OT) environments. Organizations have previously experienced major security incidents like WannaCry, a worm malware that could rapidly replicate itself, and thus spread easily. Since OT environments often include critical industrial systems such as in manufacturing, energy, and utilities sectors, malicious actors may rely on unsuspecting trusted third parties (e.g., vendors or contractors with access) to introduce removable media (USB drives) for system maintenance. Given its ability to spread across drives, LitterDrifter can easily move from IT environments or other external environments to OT systems, increasing the risk of widespread infection and operational interruption.
Furthermore, the C2 communication function of LitterDrifter could be used to extract sensitive operational data from OT systems. This information could be used for industrial espionage or planning more targeted attacks. Critical infrastructure operators and manufacturers in the OT space need to enhance their protections against mobile media (like USB devices), with measures including:
- Ensuring secure data transfer mechanisms: External storage media should be restricted in production environments unless a secure mechanism for data transfer is developed and correctly implemented.
- Scanning and analyzing external storage media: Enhance the scrutiny of external devices and removable media in OT environments. Actively identify and eliminate malicious software introduced through removable media. This necessitates a scan that must be performed in an isolated and secure environment.
- Implementing hardware usage restrictions: Though it’s important for organizations to set specific security policies to control the hardware used on critical systems, they can’t stop there. They can implement restrictions such as limiting the use of USB devices in order to reduce the risks posed by external devices.
- Monitoring changes in files from removable media: Organizations need to closely monitor files copied from removable media (like USB flash drives), especially those that are newly created. Tracking these files makes it easier to apprehend potential misuse or malicious activities.
- Monitoring new process execution: Pay attention to new processes run by employees after they’ve connected removable media or when removable media is initiated by a user. If malicious software is present, it’s likely that additional actions will occur after execution, such as opening network connections for command and control, as well as discovering system and network information.
TXOne Networks’ Defensive Strategies for LitterDrifter Malware
TXOne Networks offers comprehensive solutions to enhance cybersecurity in Operational Technology (OT) environments. Their solutions focus on secure data transmission and robust endpoint protection to thwart potential cyber threats.
Secure OT Data Transmission Mechanism
Portable Inspector solution is designed for secure data storage and transfer. It ensures safekeeping of sensitive information and secure data transmission, safeguarding against potential malware infections. Portable Inspector incorporates robust security features to protect stored data from unauthorized access or potential corruption. It scans files during transfer to the Portable Inspector storage, allowing only verified files to be stored.
Figure 1: Portable Inspector Delivers Installation-free Security
Figure 2: An Example of a Portable Inspector Successfully Detects LitterDrifter Malware
Figure 3: An Example of a Portable Inspector Successfully Eliminates LitterDrifter Malware
Executing Security Scans in a Controlled Environment
Safe Port aids in cleaning external storage media in a protected and secure environment. Safe Port examines external media, identifies, and eliminates malicious software, making it suitable for use in OT environments. The greatest operational benefit of using Safe Port is the simplification of your security inventory audit. It seamlessly integrates with Portable Inspector to establish and manage your security inventory, making security management effortless. Insert the Portable Inspector into Safe Port and upload logs to ElementOne with just a few clicks.
Figure 4: Safe Port the Ultimate Media Sanitizer
TXOne’s CPSDR Technology Prevents Unforeseen System Changes from Affecting Operational Reliability and Availability
Stellar has adopted TXOne Networks unique security methodology, known as Cyber Physical System Detection and Response (CPSDR). This approach prioritizes both security and operational efficiency, ensuring that no team has to compromise on capabilities or effectiveness. A key feature of Stellar’s security strategy is its robust endpoint protection, particularly evident in its USB vector control feature. This feature effectively blocks the use of unauthorized external storage media, thereby safeguarding against potential external threats.
Furthermore, Stellar has implemented stringent controls to ensure that only approved applications can operate within its system. This proactive measure significantly mitigates the risk of unauthorized software, which could compromise both environmental safety and system stability.
A standout capability of Stellar is its operational behavior anomaly detection. This feature is designed to identify any unusual activities within system operations. By employing advanced algorithms and thorough analysis, Stellar is adept at detecting real-time deviations from established patterns or expected behaviors. This capability is crucial in enhancing Stellar’s overall security posture, providing early detection and prompt alerts. Such timely notifications enable quick investigation and mitigation of any suspicious activities, thereby maintaining the integrity and safety of operational processes.
Are you concerned about facing similar threat challenges? We are always here to assist you!
The challenges in production are constantly evolving. This is a lot of information, and our team is ready and eager to help you and your suppliers find the OT network defense tool that best suits you. Contact us to learn how TXOne solutions can ensure the security, compliance, and uninterrupted operation of your systems.
