A Russia-affiliated adversary has been caught utilizing new information-stealing malware in cyberattacks aimed at Ukraine. Named Graphiron by Symantec, a subsidiary of Broadcom, the malware is the work of an espionage group known as Nodaria, which is monitored by the Computer Emergency Response Team of Ukraine (CERT-UA) under the label UAC-0056.
According to the Symantec Threat Hunter Team, the malware, written in Go, is created to collect a broad array of information from infected computers, including system information, credentials, screenshots, files, and more.
CERT-UA first brought Nodaria to light in January 2022, drawing attention to the adversary’s usage of SaintBot and OutSteel malware in spear-phishing attacks on government entities. The group, which is believed to have been active since at least April 2021, has repeatedly deployed custom backdoors, including GraphSteel and GrimPlant, in various campaigns following Russia’s military invasion of Ukraine. Some intrusions also involved the delivery of the Cobalt Strike Beacon for post-exploitation.
Graphiron, the newest addition to the group’s arsenal, is an improved version of GraphSteel that includes features for running shell commands and harvesting system information, files, credentials, screenshots, and SSH keys. The reliance on Go version 1.18, which was officially released in March 2022, indicates that Graphiron is a more recent development compared to GraphSteel and GrimPlant, which utilized Go version 1.16.
The earliest evidence of Graphiron’s usage dates back to October 2022 and has been used in attacks until at least mid-January 2023. An analysis of the infection chains reveals the presence of two stages, with a downloader responsible for retrieving the encrypted payload containing the Graphiron malware from a remote server.
With these latest findings, Nodaria joins another Russian state-sponsored group known as Gamaredon in actively targeting Ukraine. Symantec notes that while Nodaria was relatively unknown before the Russian invasion of Ukraine, the group’s high level of activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.
