Russian Nodaria APT Adds Advanced Information Stealing Functionality

About the malware

• The malware is developed using Go version 1.18 and is capable of harvesting a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
• The malware is an improved version of the group's custom backdoor GraphSteel.
• It has additional features to run shell commands and harvest system information, files, credentials, screenshots, and SSH keys.
• Moreover, it communicates with the C2 server using port 443 and communications are encrypted using the AES cipher.

Technical analysis

• The infection chains involve two stages, a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).
• The downloader is responsible for retrieving the encrypted payload containing the Infostealer.Graphiron from a remote server. 
• It is configured to check against a blacklist of malware analysis tools and run just once without making any further attempts.
• The payload is capable of carrying out several tasks, including retrieving the hostname, system info, and user info and stealing stored passwords and data from Firefox, Thunderbird, and PuTTY.

Nodaria’s arsenal

• The group’s known tools are WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant (aka Elephant Implant), and GraphSteel (aka Elephant Client) information stealer.
• Many of Nodaria’s earlier tools were written in Go, which hints that the tools are possibly authored by the same developers.

Wrapping up