An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.
The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.
If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.
Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.
Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.