Russian Nodaria APT Uses Graphiron Infostealer Malware in Ukraine

Researchers have discovered a Russian linked ATP group, tracked as Nodaria deploying new info-stealing malware, dubbed Graphiron, in attacks against Ukraine.

The Nodaria APT group incorporates the Graphiron malware that allows operators to harvest a wide range of information from the infected systems, including system info, credentials, screenshots, and files.

Graphiron originally written in Go programming language comprises two-stage components:

Downloader – Downloader.Graphiron
Payload – Infostealer.Graphiron

Advertisements

The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check against a blacklist of malware analysis tools by checking for running processes with the following names:

BurpSuite
BurpSuite Free
Charles
dumpcap
Fiddler
httpsMon
mitmdump
mitmweb
NetworkMiner
Proxifier
rpcapd
smsniff
tshark
WinDump
Wireshark
x96dbg
ollydbg
idag

It will connect to a C&C server and download and decrypt the payload before adding it to autorun.The downloader is configured to run just once. If it fails to download and install the payload it won’t make further attempts nor send a heartbeat. The experts pointed out that the downloader runs just once if it fails will be no more executed.

Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the “.lock” and “.trash” extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe and MicrosoftOfficeDashboard.exe.

The payload can carry out the following tasks:

Obtains the IP address from https://checkip.amazonaws.com
Retrieves the hostname, system info, and user info
Steals data from Firefox and Thunderbird
Steals private keys from MobaXTerm.
Steals SSH known hosts
Steals data from PuTTY
Steals stored passwords
Takes screenshots
Creates a directory
Lists a directory
Runs a shell command
Steals an arbitrary file

The malicious code uses a PowerShell command to steal passwords on the infected system.

Their exists similarities between Graphiron and older tools in the Nodaria’s arsenal, such as GraphSteel and GrimPlant. Nodaria was linked to the WhisperGate wiper attacks against Ukrainian government computers and websites in January 2022.

The attack chain used by the APT group usually starts with spear-phishing messages, which are then used to deliver a malicious payload to victims. The list of custom tools used by the group includes:

Elephant Dropper: A dropper
Elephant Downloader: A downloader
SaintBot: A downloader
OutSteel: Information stealer
GrimPlant (aka Elephant Implant): Collects system information and maintains persistence
GraphSteel (aka Elephant Client): Information stealer