A Russia-linked risk actor has been noticed deploying a brand new information-stealing malware in cyber assaults focusing on Ukraine.
Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group referred to as Nodaria, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.
“The malware is written in Go and is designed to reap a variety of knowledge from the contaminated laptop, together with system info, credentials, screenshots, and recordsdata,” the Symantec Threat Hunter Team mentioned in a report shared with The Hacker News.
Nodaria was first spotlighted by CERT-UA in January 2022, calling consideration to the adversary’s use of SaintBot and OutSteel malware in spear-phishing assaults focusing on authorities entities.
The group, which is alleged to be lively since a minimum of April 2021, has since repeatedly deployed customized backdoors similar to GraphSteel and GrimPlant in numerous campaigns since Russia’s army invasion of Ukraine. Select intrusions have additionally entailed the supply of Cobalt Strike Beacon for post-exploitation.
Graphiron, the newest program added to the group’s arsenal, is an improved model of GraphSteel, packing in options to run shell instructions and harvest system info, recordsdata, credentials, screenshots, and SSH keys.
Another notable facet is that whereas GraphSteel and GrimPlant made use of Go model 1.16, Graphiron depends on model 1.18, which formally shipped in March 2022. This additionally means that Graphiron is a newer improvement.
Furthermore, an evaluation of the an infection chains reveals the presence of two phases, a downloader that is liable for retrieving an encrypted payload containing the Graphiron malware from a distant server.
With the newest findings, Nodaria joins one other Russian state-sponsored group known as Gamaredon in extensively singling out Ukraine.
“While Nodaria was comparatively unknown previous to the Russian invasion of Ukraine, the group’s high-level exercise over the previous 12 months means that it’s now one of many key gamers in Russia’s ongoing cyber campaigns in opposition to Ukraine,” Symantec mentioned.