Checkpoint details a Primitive Bear (a.k.a. Gamaredon / Armagedon)-attributed campaign leveraging LitterDrifter malware via USB, a self-spreading USB worm. According to a separate report released by the Ukrainian Security Services, the threat actor can be linked to the Russian Federal Security Service (FSB). Checkpoint reported evidence of infections across the globe, including in the United States, Germany, Poland, and Hong Kong. Such large distribution may be due to the capability of the USB worm to spread beyond the intended target, which, based on available metrics, appears to be Ukraine - where the largest majority of the attacks in the wild were observed. LitterDrifter has a modular implant comprised of a spreader module which checks for a specific mediatype and infects the systems prioritizing portable pendrive drivers, and a command-and-control (C2) module with the ability to generate a built-in C2 or retrieve the C2 information from Telegram.
- Clipeus