September 30, 2023

Researchers have discovered a Russian linked ATP group, tracked as Nodaria deploying new info-stealing malware, dubbed Graphiron, in attacks against Ukraine.

The Nodaria APT group incorporates the Graphiron malware that allows operators to harvest a wide range of information from the infected systems, including system info, credentials, screenshots, and files.

Graphiron originally written in Go programming language comprises two-stage components:

  • Downloader – Downloader.Graphiron
  • Payload – Infostealer.Graphiron

The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check against a blacklist of malware analysis tools by checking for running processes with the following names:

  • BurpSuite
  • BurpSuite Free
  • Charles
  • dumpcap
  • Fiddler
  • httpsMon
  • mitmdump
  • mitmweb
  • NetworkMiner
  • Proxifier
  • rpcapd
  • smsniff
  • tshark
  • WinDump
  • Wireshark
  • x96dbg
  • ollydbg
  • idag

It will connect to a C&C server and download and decrypt the payload before adding it to autorun.The downloader is configured to run just once. If it fails to download and install the payload it won’t make further attempts nor send a heartbeat. The experts pointed out that the downloader runs just once if it fails will be no more executed.

Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the “.lock” and “.trash” extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe and MicrosoftOfficeDashboard.exe.

The payload can carry out the following tasks:

  • Obtains the IP address from
  • Retrieves the hostname, system info, and user info
  • Steals data from Firefox and Thunderbird
  • Steals private keys from MobaXTerm.
  • Steals SSH known hosts
  • Steals data from PuTTY
  • Steals stored passwords
  • Takes screenshots
  • Creates a directory
  • Lists a directory
  • Runs a shell command
  • Steals an arbitrary file

The malicious code uses a PowerShell command to steal passwords on the infected system.

Their exists similarities between Graphiron and older tools in the Nodaria’s arsenal, such as GraphSteel and GrimPlant. Nodaria was linked to the WhisperGate wiper attacks against Ukrainian government computers and websites in January 2022.

The attack chain used by the APT group usually starts with spear-phishing messages, which are then used to deliver a malicious payload to victims. The list of custom tools used by the group includes:

  • Elephant Dropper: A dropper
  • Elephant Downloader: A downloader
  • SaintBot: A downloader
  • OutSteel: Information stealer
  • GrimPlant (aka Elephant Implant): Collects system information and maintains persistence
  • GraphSteel (aka Elephant Client): Information stealer

Graphiron appears to be the latest piece of malware authored by the same developers, likely in response to a need for additional functionality. While GraphSteel and GrimPlant used Go version 1.16, Graphiron uses version 1.18, confirming it is a more recent development. Since the group is active post Russian invasion in Ukraine, it is seen as one of the key players.

This research was documented by researchers from Symantec

Indicators of Compromise

  • 0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63
  • 878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db
  • 80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7
  • eee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6
  • f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1
  • f86db0c0880bb81dbfe5ea0b087c2d17fab7b8eefb6841d15916ae9442dd0cce

Leave a Reply

%d bloggers like this: