Nodaria, a Russian hacking group, has been using a new type of malware called Graphiron to steal data from Ukrainian organizations. Graphiron is a Go-based malware that is capable of harvesting a wide range of information, including account credentials, system data, and app data. It can also take screenshots and exfiltrate files from the compromised machines. Symantec's threat research team has found that Nodaria has been using Graphiron since October 2022 to mid-January 2023. The malware consists of a downloader and a secondary payload that steals information. It will check for security software and malware analysis tools, and if none are found, it will download the information-stealing component. It also uses PowerShell code to steal passwords from the Windows Vault, which is where saved credentials are stored in AES-256 encrypted form. Graphiron communicates with the C2 server through port 443, which is similar to older Nodaria tools like GraphSteal and GrimPlant. Nodaria is also responsible for deploying a fake ransomware called WhisperGate on Ukrainian networks in January 2022, which caused destructive data-wiping attacks. The hackers usually deliver their payloads to targets via spear-phishing emails, taking advantage of the ongoing war. Graphiron is the latest addition to Nodaria's arsenal, combining the features of the group's past custom tools into one payload while also featuring obfuscation. This indicates that Nodaria will continue to target Ukrainian organizations, attempting to collect valuable information from high-profile targets.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 08 Feb 2023 15:00:03 +0000