Go to listing page

Russian Nodaria APT Adds Advanced Information Stealing Functionality

Russian Nodaria APT Adds Advanced Information Stealing Functionality
A Russia-linked hacking group known as Nodaria, aka UAC-0056, has launched various campaigns against Ukraine since Russia's military invasion of Ukraine. Recently, the group has started deploying a new information-stealing malware, dubbed Graphiron, in its attacks.

About the malware

Symantec researchers found evidence that Graphiron's origin dates back to October 2022 and Nodaria has been using it much more often.
  • The malware is developed using Go version 1.18 and is capable of harvesting a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
  • The malware is an improved version of the group's custom backdoor GraphSteel.
  • It has additional features to run shell commands and harvest system information, files, credentials, screenshots, and SSH keys.
  • Moreover, it communicates with the C2 server using port 443 and communications are encrypted using the AES cipher.

Technical analysis

  • The infection chains involve two stages, a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).
  • The downloader is responsible for retrieving the encrypted payload containing the Infostealer.Graphiron from a remote server. 
  • It is configured to check against a blacklist of malware analysis tools and run just once without making any further attempts.
  • The payload is capable of carrying out several tasks, including retrieving the hostname, system info, and user info and stealing stored passwords and data from Firefox, Thunderbird, and PuTTY.

Nodaria’s arsenal

Nodaria has been active since at least March 2021 and has been involved in attacks against Kyrgyzstan and Georgia.
  • The group’s known tools are WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant (aka Elephant Implant), and GraphSteel (aka Elephant Client) information stealer.
  • Many of Nodaria’s earlier tools were written in Go, which hints that the tools are possibly authored by the same developers.

Wrapping up

Nodaria has repeatedly deployed custom backdoors in cyberattacks against Ukraine. While the group was relatively unknown prior to the Russian invasion of Ukraine, its high-level activity over the past year and the addition of advanced features in Graphiron suggest that it is updating its arsenal to launch more cyber campaigns against Ukraine.
Cyware Publisher

Publisher

Cyware