A Russian-linked actor has been observed deploying new information-stealing malware in a cyberattack targeting Ukraine.
dubbing Grafiron By Symantec, which is owned by Broadcom, the malware is the handiwork of a spy group known as . NodaliaIt is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.
In a report shared with The Hacker News, the Symantec Threat Hunter Team said, “This malware is written in Go and is designed to collect a variety of information from the infected computer, including system information, credentials, screenshots and files. It is done.”
Nodaria was first brought to the attention of CERT-UA in January 2022, when adversaries used the SaintBot and OutSteel malware in spear-phishing attacks targeting government agencies.
The group is believed to have been active since at least April 2021, and has repeatedly deployed custom backdoors such as GraphSteel and GrimPlant in various campaigns since Russia’s military invasion of Ukraine. Some intrusions also involved delivering his Cobalt Strike Beacon after the exploit.
The latest program to be added to the group’s arsenal is Graphyron, an improved version of GraphSteel that includes the ability to run shell commands and collect system information, files, credentials, screenshots, and SSH keys. I’m here.
Another thing to note is that GraphSteel and GrimPlant use Go version 1.16, while Graphiron relies on version 1.18 which officially shipped in March 2022. This also suggests that Graphiron is a more recent development.
Additionally, analysis of the infection chain revealed the presence of two stages of the downloader retrieving an encrypted payload containing the Graphiron malware from a remote server.
The latest findings lead Nodalia to join another Russian state-owned group called Gamaredon to single out Ukraine outright.
“Nodaria was not well known prior to Russia’s invasion of Ukraine, but the group’s high-level activity over the past year has made it one of the key players in Russia’s ongoing cyber campaign against Ukraine,” Symantec said. It suggests that,” he said.
