Graphiron Malware Used Against Ukraine

A Russian-linked threat actor has been observed deploying a new malicious software in cyber attacks targeting Ukraine. Dubbed Graphiron by Symantec, the malware is the work of an espionage group known as Nodaria which is tracked by CERT-UA as UAC-0056. According to Symantec's Threat Hunter Team, this malware is written in Go and is designed to collect a wide range of information from the infected computer such as system information, credentials, screenshots and files.

Nodaria was first noticed by CERT-UA in January 2022 for using SaintBot and OutSteel malware in spear-phishing attacks against government entities. The hacking group has also been referred to as DEV-0586, TA471 and UNC2589 and has been linked to destructive WhisperGate (aka PAYWIPE) data wiper attacks on Ukrainian entities around the same time. It has been active since April 2021 and has deployed custom backdoors such as GraphSteel and GrimPlant in various campaigns following Russia's military invasion of Ukraine. Cobalt Strike Beacon was also used for post-exploitation in some intrusions.

Graphiron is the latest addon to Nodaria's toolkit and is an improved version of GraphSteel. It is written in Go version 1.18, which was released in March 2022, suggesting that it is a more recent development. The earliest evidence of its usage dates back to October 2022 and it has been used in attacks until at least mid-January 2023.

The infection chain involves two stages, with the first stage being a downloader responsible for retrieving an encrypted payload that holds the Graphiron malware from a remote server.

Graphiron is yet another example of the threat actor's focus on Ukraine and its government entities, making it important for organizations in the region to be aware of this new malicious software and take steps to protect themselves against it.

What is infostealing malware?

Infostealing malware is a dangerous type of malicious software that can be used to steal confidential information from computer systems without the user's knowledge. It can be used to gain access to passwords, financial data, and other sensitive information. Infostealing malware can also be used to spy on users by capturing screenshots or recording keystrokes. This type of malware is often spread through phishing emails, malicious websites, or infected files.

It is important for organizations and individuals to take steps to protect themselves against infostealing malware by using strong passwords, keeping their systems up-to-date with the latest security patches, and avoiding suspicious links or downloads. Additionally, it is important to monitor network activity for any suspicious activity that could indicate an infection. By taking these precautions, organizations and individuals can help protect themselves from this type of malicious software.