Russian-made Ukraine-targeting malware has infested systems worldwide, spreading via USB stick

(Image credit: Shutterstock)

A worm originally made for espionage against Ukraine has now been identified as a nuisance worldwide as it branching out globally, collecting and transmitting user's data without their knowledge. 

The worm, called 'LitterDrifter', was made by Russian hackers known under multiple names (one of which is Gamaredon), whose cyber attacks typically use malware and have gained a reputation for it. In 2014, Ukraine's security service claimed this was done by Russia's Federal Security Service, the Kremlin.  Despite this identification, the threat wasn't contained on time and has since been found to be infecting systems globally. It's been found to have collected information from users in the United States, Chile, Poland, Germany, Vietnam, and Hong Kong, as well as in Ukraine. 

Unlike viruses, worms typically spread through systems on their own. Because of this, it was only a matter of time before LitterDrifter started operating outside its intended target — whether this was intentional or not, we'll never truly know. 

This malicious code has been tracked by Check Point Research, which did extensive research on its method and its indicators. The research group says this worm affects computers through USB drives. The code is written using Visual Basic scripting language, which permanently infects systems connected through infected USB drives and sends data to Gamaredon's servers. Specifically, this type of malware affects the Windows Management Instrumentation (WMI) framework. Typically the infected USB drives will create an LNK shortcut and insert a copy of the 'trash.dll' file to the system.  

It may sound like a simple delivery method, but it's effective enough to infect both intended and unintended targets. It's been nine years since it was created, so it's had plenty of time to spread worldwide and is likely not limited to the countries mentioned above. By no means are these worms made for small-scale data mining. Since its method of delivery is via a USB connection, it needs to be simple enough for infected USB drives to propagate through connected systems. 

Worms used by other states

As concerning as LitterDrifter is, it's not the only worm causing problems. Stuxnet, which was allegedly created through a U.S. collaboration with Israel to spy on Iran, has also been found on systems worldwide. Sadly, this is a very common occurrence with this type of delivery method, where such worms operate beyond their targeted locations for many years. Active servers that receive this data are usually a telltale sign that groups are still gathering data. 

It's unlikely we'll see such a method of delivery banned by international laws, as many countries feel the need to have such data harvesting methods available. And even if bans are placed globally, such restrictions will likely be ignored as reinforcement is difficult (especially against dominant players). The best way to fight this problem is with malware protection applications that can clean both the system and its carriers (a USB drive, in this case). 

Roshan Ashraf Shaikh
Contributing Writer

Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom's Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.