New info-stealing malware used against Ukraine organizations

A new information-stealing malware named Graphiron is being used against a wide range of targets in Ukraine, according to new research.

Researchers from Symantec declined to say which sorts of organizations are being targeted but confirmed that the attacks are being launched by an espionage group named Nodaria.

They added that there is “limited evidence” that the group is targeting organizations in Kyrgyzstan, while other reports indicate Nodaria has launched attacks on Georgia. It has been active since at least March 2021.

Since October 2022, the group has used Graphiron – a malware written in the Go programming language that is designed to harvest “a wide range of information from the infected computer, including system information, credentials, screenshots, and files.”

The malware uses file names that allow it to masquerade as Microsoft Office executables like OfficeTemplate.exe and MicrosoftOfficeDashboard.exe.

It is built to obtain the device’s IP address, system information and user information while also stealing data from Firefox and Thunderbird. It even takes screenshots of the device, creates a directory and steals stored passwords.

The tool resembles other malware used by Nodaria including tools like GraphSteel and GrimPlant. Both were used at the outset of Russia’s invasion of Ukraine by pro-Kremlin hacktivists to target government organizations through phishing attacks.

GrimPlant grants attackers remote control of PowerShell commands, while GraphSteel is used to exfiltrate sensitive data.  

On March 11, 2022, CERT-UA revealed that several "entities" had received emails containing a link for a “critical updates” download through a 60MB file. After further investigation, they found that the file prompted a chain of other downloads, including the GrimPlant and GraphSteel backdoors. Hackers were then able to steal sensitive information.

Another phishing campaign using the same malware was discovered two weeks later.

“GraphSteel is designed to exfiltrate files along with system information and credentials stolen from the password vault using PowerShell. Graphiron has similar functionality but can exfiltrate much more, such as screenshots and SSH [Secure Shell] keys,” Symantec researchers explained. 

“Graphiron appears to be the latest piece of malware authored by the same developers, likely in response to a need for additional functionality.”

Nodaria first came to the attention of cybersecurity researchers after the group was linked to the headline-grabbing WhisperGate wiper attacks that hit multiple Ukrainian government computers and websites in January 2022. 

WhisperGate masqueraded as ransomware but simply wiped infected devices instead of offering opportunities to pay a ransom. 

WhisperGate had some similarities to the NotPetya wiper that attacked Ukrainian businesses in 2017, according to CiscoTalos. It destroys the master boot record (MBR) instead of encrypting it. The malware’s goal is to render targeted devices inoperable rather than to obtain a ransom, according to Microsoft.

Symantec researchers said Nodaria’s latest tool was evidence that the group continues to evolve its capabilities in an effort to circumvent defensive efforts. 

“While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine,” they said.