There is evidence that hackers with ties to Russia are using new software designed to steal information to launch attacks against Ukraine. This malware, discovered by the Computer Emergency Response Team of Ukraine (CERT-UA) and dubbed Graphiron by Broadcom-owned Symantec, was developed by an espionage group called Nodaria and is known as UAC-0056.
According to a study published by the Symantec Threat Hunter Team and made available to The Hacker News, “the malware is built in Go and is designed to capture a wide range of information from the infected device, including system information, credentials, screenshots, and files.” In January 2022, CERT-UA raised awareness of the threat posed by Nodaria by drawing notice to the adversary’s deployment of SaintBot and OutSteel malware in spear-phishing attacks on government agencies.
Similar devastating WhisperGate (aka PAYWIPE) data wiper attacks against Ukrainian companies around the same time have been attributed to the same hacking group, variously known as DEV-0586, TA471, and UNC2589.
Nodaria Now Focuses Its Attention On Ukraine
Since Russia’s armed invasion of Ukraine in April 2021, this gang has reportedly been active and has used custom backdoors like GraphSteel and GrimPlant in multiple campaigns. Delivery of Cobalt Strike Beacon for post-exploitation has also been a part of several infiltrations.
The newest addition to the team’s armory is Graphiron, an enhanced version of GraphSteel that has capabilities to execute shell commands and steal data from a target machine, including credentials, files, screenshots, and SSH keys.
Also, although GraphSteel and GrimPlant used Go 1.16, Graphiron uses Go 1.18, which was released to the public in March 2022. This also supports the idea that Graphiron is a very recent innovation. Attacks using Graphiron have been documented as early as October 2022 and continuing through at least mid-January 2023.
The examination of infection chains also reveals the presence of a downloader responsible for retrieving an encrypted payload containing the Graphiron malware from a remote server. Adding to the recent findings of another Russian state-sponsored outfit called Gamaredon, Nodaria has focused a great deal of its attention on Ukraine.
Despite being “relatively obscure” before Russia’s invasion of Ukraine, Symantec today believes that Nodaria is “one of the primary participants in Russia’s ongoing cyber attacks against Ukraine” due to the group’s “high-level activities” over the last year.
Taking Confidential Material With Graphiron Without Permission
Graphiron is a malware family that steals data in two ways: via a downloader and a secondary payload. When run, the downloader will first look for antivirus and malware detection programs before downloading the stealth code.
(BurpSuite, Charles, Fiddler, rpcapd, smsniff, Wireshark, x96dbg, ollydbg, and idag) are just some of the programs the downloader looks for. Malicious software disguises itself as a legitimate Microsoft Office file on the compromised machine by using filenames like OfficeTemplate.exe and MicrosoftOfficeDashboard.exe.
The following are some of its capabilities:
- Consult the MachineGuide.
- In need to find out your IP address, go to https://checkip.amazonaws.com.
- Find out the name of the host, the operating system, and the users.
- Robbing from Mozilla and Mozilla Thunderbird
- Rob MobaXTerm of its secret keys.
- Rob SSH-verified hosts
- Take information from PuTTY
- Theft of saved passwords
- Grab some screen pictures.
- Start a folder
- Compile a contact list
- Execute a shell script
- Just pick a file and take it.
Following is the PowerShell code utilized by the virus to access and steal AES-256 encrypted passwords stored in the Windows Vault, the built-in password manager of the operating system.
Conclusion
The Russian hacker collective known as “Nodaria” (UAC-0056) has begun targeting Ukrainian institutions with a piece of malware dubbed “Graphiron” that steals sensitive information. Account credentials, system data, and even app data are all fair game for the Go-based virus. The software can potentially steal data from infected computers by taking screenshots and removing files. Since at least October 2022 and as late as mid-January 2023, Symantec’s threat research team has found that Nodaria has been employing Graphiron in assaults. Similar devastating WhisperGate (aka PAYWIPE) data wiper attacks against Ukrainian companies around the same time have been attributed to the same hacking group, variously known as DEV-0586, TA471, and UNC2589.
