{
	"id": "4765b947-b9a8-4e25-8ba1-3dbf88ad2a31",
	"created_at": "2026-05-07T02:43:03.648736Z",
	"updated_at": "2026-05-07T02:44:11.021649Z",
	"deleted_at": null,
	"sha1_hash": "8bbb47162318dff1bead4eee2b311e77e882f743",
	"title": "Malware Spotlight – Into the Trash: Analyzing LitterDrifter",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94178,
	"plain_text": "Malware Spotlight – Into the Trash: Analyzing LitterDrifter\r\nBy etal\r\nPublished: 2023-11-17 · Archived: 2026-05-07 02:03:11 UTC\r\nIntroduction\r\nGamaredon, also known as Primitive Bear, ACTINIUM, and Shuckworm, is a unique player in the Russian\r\nespionage ecosystem that targets a wide variety of almost exclusively Ukrainian entities. While researchers often\r\nstruggle to uncover evidence of Russian espionage activities, Gamaredon is notably conspicuous. The group\r\nbehind it conducts large-scale campaigns while still primarily focusing on regional targets. The Security Service\r\nof Ukraine (SSU) identified the Gamaredon personnel as Russian Federal Security Service (FSB) officers.\r\nGamaredon’s large-scale campaigns are usually followed by data collection efforts aimed at specific targets,\r\nwhose selection is likely motivated by espionage goals. These efforts run parallel to the deployment of various\r\nmechanisms and tools designed to maintain as much access to these targets as possible. One such tool is a USB\r\npropagating worm that we have named LitterDrifter.\r\nThe LitterDrifter worm is written in VBS and has two main functionalities: automatic spreading over USB drives,\r\nand communication with a broad, flexible set of command-and-control servers. These features are implemented in\r\na manner that aligns with the group’s goals, effectively maintaining a persistent command and control (C2)\r\nchannel across a wide array of targets. LitterDrifter seems to be an evolution of a previously reported\r\nactivity tying Gamaredon group to a propagating USB Powershell worm.\r\nIn this report, we take an extensive dumpster dive into the analysis of Gamaredon’s LitterDrifter malware, as well\r\nas its C2 infrastructure.\r\nKey Points\r\nGamaredon continues to focus on wide variety Ukrainian targets, but due to the nature of the USB worm,\r\nwe see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and\r\nGermany. In addition, we’ve observed evidence of infections in Hong Kong. All this might indicate that\r\nmuch like other USB worms, LitterDrifter have spread beyond its intended targets.\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 1 of 9\n\nFigure 1 – Virus Total Submissions of LitterDrifter\r\nThe group recently started deploying LitterDrifter, a worm written in VBS, designed to propagate through\r\nremovable USB drives and secure a C2 channel.\r\nGamaredon’s infrastructure remains extremely flexible and volatile, while at the same time maintaining\r\npreviously reported characteristics and patterns.\r\nLitterDrifter Overview\r\nThe LitterDrifter is a self-propagating worm with two main functionalities: spreading over drives and establishing\r\na C2 channel to Gamaredon’s wide command and control infrastructure. Those two functionalities reside within an\r\norchestration component saved to disk as “trash.dll”, which is actually a VBS, despite its file extension name.\r\nFigure 2 - A high-level execution scheme of LitterDrifter.\r\nFigure 2 – A high-level execution scheme of LitterDrifter.\r\ntrash.dll , as the initial orchestration component, runs first and its main function is to decode and execute the\r\nother modules and maintain initial persistence in the victim’s environment.\r\nFollowing a successful execution, it runs the two extracted modules:\r\n1. Spreader module – Distributes the malware in the system and potentially spreads it to other environments by\r\nprioritizing infection of a logical disk with  mediatype=NULL , usually associated with USB removable media.\r\n2. C2 Module – Retrieves a command and control server IP address by generating a random subdomain of a built-in C2 server, while also maintaining a backup option to retrieve a C2 IP address from a Telegram channel. Its main\r\npurpose is to establish communication with the attacker C\u0026C server and to execute incoming payloads.\r\nDumpster Diving\r\nDeobfuscoding the DEOBFUSCODER\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 2 of 9\n\nThe orchestration component (referred to as DEOBFUSCODER) is heavily obfuscated and is constructed from a\r\nseries of strings with character substitution obfuscation. It consists of 7 functions and variables with name\r\nmangling. Throughout the run of the “Deobfucate” action, LitterDrifter invokes a function that delays the\r\nexecution for a few seconds (the exact time varies from sample to sample) to delay the following actions.\r\n1. The main function takes two encoded strings (the other two malicious components) as parameters. It then\r\ndeclares two paths under the user’s “Favorites” directory, designed to store the two decoded scripts from\r\nthe other 2 encoded components of the VBS.\r\n2. To ensure its persistence, the Deobfuscoder makes a copy of the original script to a hidden file called\r\n“trash.dll” in the user’s directory.\r\n3. The script decodes the provided encoded strings and writes them to the “Favorites” directory as\r\n“ jersey.webm ”, the payload component, and “ jaw.wm ”, the spreader component (the names and\r\nextensions of the files and also the location inside the  %userprofile%  differ between variants).\r\n4. After creating these files, the malware proceeds to set scheduled tasks for each of the 2 components,\r\nensuring they are regularly executed. In addition, it adds an entry to the user’s startup items in the Registry\r\nRun Keys to ensure they run upon startup.\r\nBoth the tasks and the startup entries are disguised using technical-sounding names such as\r\n“RunFullMemoryDiagnostic” and “ProcessMemoryDiagnosticEvents” to appear legitimate and avoid\r\narousing suspicion.\r\nFigure 3 - Deobfuscated snippet of the orchestrator DEOBFUSCODER’s Main Function.\r\nFigure 3 – Deobfuscated snippet of the orchestrator DEOBFUSCODER’s Main Function.\r\nThe entire flow is deliberately obscured by ambiguous function and variable names as well as the use of inline\r\nscripting, which make it difficult for casual observers to discern its intent and activities.\r\nSpreader Module Analysis\r\nThe core essence of the Spreader module lies in recursively accessing subfolders in each drive and creating LNK\r\ndecoy shortcuts, alongside a hidden copy of the “trash.dll” file.\r\nFigure 4 - trash.dll is distributed as a hidden file in a USB drive together with a decoy LNK.\r\nFigure 4 – trash.dll is distributed as a hidden file in a USB drive together with a decoy LNK.\r\nUpon execution, the module queries the computer’s logical drives using Windows Management Instrumentation\r\n(WMI), and searches for logical disks with the  MediaType  value set to  null , a method often used to identify\r\nremovable USB drives.\r\nFigure 5 - LitterDrifter’s spreader component.\r\nFigure 5 – LitterDrifter’s spreader component.\r\nFor each logical drive detected, the spreader invokes the  createShortcutsInSubfolders  function. Within this\r\nfunction, it iterates the subfolders of a provided folder up to a depth of 2.\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 3 of 9\n\nFor every subfolder, it employs the  CreateShortcut  function as part of the “ Create LNK ” action, which is\r\nresponsible for generating a shortcut with specific attributes. These shortcuts are LNK files that are given random\r\nnames chosen from an array in the code. This is an example of the lure’s names from an array in one of the\r\nsamples that we investigated: (\"Bank_accоunt\", \"постановa\", \"Bank_accоunt\", \"службовa\",\r\n\"cоmpromising_evidence\") . The LNK files use wscript.exe **** to execute “trash.dll” with specified\r\narguments  \" \"\"trash.dll\"\" /webm //e:vbScript //b /wm /cal \" . In addition to generating the shortcut, the\r\nfunction also creates a hidden copy of “trash.dll” in the subfolder.\r\nFigure 6 - A function in the Spreader component used to iterate subfolders.\r\nFigure 6 – A function in the Spreader component used to iterate subfolders.\r\nC2 Module Analysis – Taking Out the Trash\r\nGamaredon’s approach towards the C\u0026C is rather unique, as it utilizes domains as a placeholder for the\r\ncirculating IP addresses actually used as C2 servers.\r\nBefore attempting to contact a C2 server, the script checks the  %TEMP%  folder for an existing C2 configuration file\r\nwith a meaningless name that’s hardcoded in the malware. This mechanism acts as a self-check for the malware,\r\nverifying whether it already infected the machine. If present, the current execution could simply be a scheduled\r\nexecution triggered by the persistence mechanisms discussed earlier. If there isn’t an existing config file, the\r\nmalware switches gears and pings one of Gamaredon’s domains using a WMI query:  select * from\r\nwin32_pingstatus where address='Write\u003crandom_2_digit_number\u003e.ozaharso.ru’.  The malware extracts the IP\r\nresolution for the domain from the response to the query and saves it to a new configuration file.\r\nFigure 7 - LitterDrifter retrieving the C2 IP address using a WMI query.\r\nFigure 7 – LitterDrifter retrieving the C2 IP address using a WMI query.\r\nWith the IP address in hand, LitterDrifter constructs the IP into a URL. The format is usually along the lines\r\nof  http://\u003ccncIP\u003e/jaw\u003crandom_2_digit_number\u003e/index.html=?\u003crandom_2_digit_number\u003e . The C2\r\ncommunication is carried out using a custom user-agent that contains some information about the machine. This\r\ninformation includes the computer name and a hexadecimal form of the  %systemdrive% ’s serial number.\r\nThe end result is a user-agent that looks like this:  mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36\r\n(khtml, like gecko) chrome/88.0.4324.152 yabrowser/21.2.3.106 yowser/2.5 safari/537.36;;\r\n\u003ccomputer_name\u003e_\u003csystem_drive_serial\u003e;;/.justly/.\r\nFigure 8 - LitterDrifter prepares the HTTP request, constructing the URL and user-agent.\r\nFigure 8 – LitterDrifter prepares the HTTP request, constructing the URL and user-agent.\r\nThe request’s HTTP header is also carefully tailored. For example, in one of the samples we found,\r\nthe  Referer  field discreetly holds  https://www.crimea.kp.ru/daily/euromaidan/ , a nod to Crimea’s news site.\r\nIt also sneaks in some specifics for the  Accept-Language  and the string  marketCookie  in the  Cookie  field.\r\nFigure 9 - HTTP request function.\r\nFigure 9 – HTTP request function.\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 4 of 9\n\nLitterDrifter utilizes a fail counter to choose which C2 method is relevant. The fail counter increases each time the\r\nC2 fails to return either a payload or a Telegram backup channel, from which LitterDrifter extracts an alternative\r\nC2. The flow of the code suggests the first answer to return is usually a Telegram channel ID, which is saved in a\r\nbackup file.\r\nBased on the fail count, LitterDrifter chooses to which C2 to connect:\r\nIf the fail counter is currently set to 0, the request is carried out to the file saved in the configuration file.\r\nIf the fail counter is currently set to 1, LitterDrifter attempts to resolve its embedded C2 domain using a\r\nWMI Query, as previously described.\r\nIf the fail counter is set to 2, LitterDrifter attempts to connect to a C2 extracted from a Telegram backup\r\nchannel, using a different user-agent and a  Referer  of  https://www.interfax.ru/tags/ , which is\r\nanother Russian news site. From there, it extracts an IP address used as a C2.\r\nFigure 10 - Gamaredon’s Telegram channel that conceals a C\u0026C IP address.\r\nFigure 10 – Gamaredon’s Telegram channel that conceals a C\u0026C IP address.\r\nIf a payload is found within the C2 reply, LitterDrifter tries to decode it. It unwraps any base64 content and\r\nattempts to run the decoded data. Based on our analysis, the payload is not downloaded to most targets.\r\nFigure 11 - LitterDrifter’s fail count options and execution of a received payload (Deobfuscated).\r\nFigure 11 – LitterDrifter’s fail count options and execution of a received payload (Deobfuscated).\r\nInfrastructure\r\nDuring our analysis, we noticed distinct patterns in the infrastructure employed by Gamaredon in this operation.\r\nThis includes registration patterns, as all of the domains used by Gamaredon’s LitterDrifter are registered\r\nby  REGRU-RU . and are part of the TLD  .ru . These findings align with other past reports of Gamaredon’s\r\ninfrastructure.\r\nBased on some of the patterns, we were able to associate specific domains and subdomains with LitterDriffter’s\r\noperation, and other domains that are linked to other clusters of Gamaredon’s activity.\r\nIn the LitterDrifter campaign, the C2 module gets the resolution for a Gamaredon-owned domain through a WMI\r\nquery. It does so by generating a random subdomain of a hardcoded domain, using random words and digits so\r\neach domain exhibits a diverse range of associated subdomains. Some domains have just a few subdomains, while\r\nothers have several hundred. The following charts show the number of subdomains for each of the domains we\r\nencountered:\r\nFigure 12 - Number of subdomains per domain.\r\nFigure 12 – Number of subdomains per domain.\r\nAs we described earlier, the WMI query to Gamaredon’s domain returns an IP address that is used as the\r\noperational C2 of the campaign. On average, an IP address remains operational for roughly 28 hours. However,\r\nthe IP address serving as the active C2 usually changes several times a day (all of the IP addresses used might fall\r\nwithin the same subnet), as seen below:\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 5 of 9\n\nFigure 13 - Number of C\u0026C IP addresses per day in the past 2 months.\r\nFigure 13 – Number of C\u0026C IP addresses per day in the past 2 months.\r\nConclusion\r\nIn this report, we explored the inner workings of this recently identified worm. Comprised of two primary\r\ncomponents – a spreading module and a C2 module – it’s clear that LitterDrifter was designed to support a large-scale collection operation. It leverages simple, yet effective techniques to ensure it can reach the widest possible\r\nset of targets in the region.\r\nLitterDrifter doesn’t rely on groundbreaking techniques and may appear to be a relatively unsophisticated piece of\r\nmalware. However, this same simplicity is in line with its goals, mirroring Gamaredon’s overall approach. This\r\nmethod has demonstrated considerable effectiveness, as evidenced by the group’s sustained activities in Ukraine.\r\nCheck Point Customers Remain Protected\r\nCheck Point Customers remain protected against attacks detailed in this report while using Check Point Harmony\r\nEndpoint and Threat Cloud.\r\nIndicators of Compromise\r\nLitterDrifter samples\r\ncbeaedfa84b02a2bd41a70fa92a46c36\r\n6349dd85d9549f333117a84946972d06\r\n2239800bfc8fdfddf78229f2eb8a7b95\r\n42bc36d5debc21dff3559870ff300c4e\r\n4c2431e5f868228c1f286fca1033d221\r\n1536ec56d69cc7e9aebb8fbd0d3277c4\r\n49d1f9ce1d0f6dfa94ad9b0548384b3a\r\n83500309a878370722bc40c7b83e83e3\r\n8096dfaa954113242011e0d7aaaebffd\r\nbbb464b327ad259ad5de7ce3e85a4081\r\ncdae1c55ec154cd6cef4954519564c01\r\n2996a70d09fff69f209051ce75a9b4f8\r\n9d9851d672293dfd8354081fd0263c13\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 6 of 9\n\n96db6240acb1a3fca8add7c4f9472aa5\r\n1c49d04fc0eb8c9de9f2f6d661826d24\r\n88aba3f2d526b0ba3db9bc3dfee7db39\r\n86d28664fc7332eafb788a44ac82a5ed\r\n1da0bf901ae15a9a8aef89243516c818\r\n579f1883cdfd8534167e773341e27990\r\n495b118d11ceae029d186ffdbb157614\r\nInfrastructure\r\nozaharso[.]ru\r\nnubiumbi[.]ru\r\nacaenaso[.]ru\r\natonpi[.]ru\r\nsuizibel[.]ru\r\ndakareypa[.]ru\r\nahmozpi[.]ru\r\nnebtoizi[.]ru\r\nsqueamish[.]ru\r\nnahtizi[.]ru\r\ncrisiumbi[.]ru\r\narabianos[.]ru\r\ngayado[.]ru\r\nquyenzo[.]ru\r\ncredomched[.]ru\r\nlestemps[.]ru\r\nurdevont[.]ru\r\nhoanzo[.]ru\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 7 of 9\n\nabsorbeni[.]ru\r\naethionemaso[.]ru\r\naychobanpo[.]ru\r\nayzakpo[.]ru\r\nbadrupi[.]ru\r\nbarakapi[.]ru\r\nboskatrem[.]ru\r\nbrudimar[.]ru\r\ndecorous[.]ru\r\ndumerilipi[.]ru\r\nheartbreaking[.]ru\r\njudicious[.]ru\r\nkaroanpa[.]ru\r\nlamentable[.]ru\r\nprocellarumbi[.]ru\r\nragibpo[.]ru\r\nraidla[.]ru\r\nramizla[.]ru\r\nsamiseto[.]ru\r\nsuperficial[.]ru\r\ntalehgi[.]ru\r\nundesirable[.]ru\r\nvalefgo[.]ru\r\nvasifgo[.]ru\r\nvilaverde[.]ru\r\nvloperang[.]ru\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 8 of 9\n\nzerodems[.]ru\r\ngeminiso[.]ru\r\nvilaverde[.]ru\r\nlamentable[.]ru\r\nraidla[.]ru\r\nboskatrem[.]ru\r\nheartbreaking[.]ru\r\nsabirpo[.]ru\r\nvalefgo[.]ru\r\nvasifgo[.]ru\r\nabsorbeni[.]ru\r\nvloperang[.]ru\r\ndecorous[.]ru\r\nramizla[.]ru\r\nprocellarumbi[.]ru\r\nandamanos[.]ru\r\ntriticumos[.]ru\r\nSource: https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nhttps://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/"
	],
	"report_names": [
		"malware-spotlight-into-the-trash-analyzing-litterdrifter"
	],
	"threat_actors": [],
	"ts_created_at": 1778121783,
	"ts_updated_at": 1778121851,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bbb47162318dff1bead4eee2b311e77e882f743.pdf",
		"text": "https://archive.orkl.eu/8bbb47162318dff1bead4eee2b311e77e882f743.txt",
		"img": "https://archive.orkl.eu/8bbb47162318dff1bead4eee2b311e77e882f743.jpg"
	}
}