LitterDrifter: Another USB Worm Spreading Malicious Code

The company Check Point has detected the deployment of a novel USB worm, known as “LitterDrifter,” in targeted attacks. This worm autonomously propagates malicious software through connected USB drives and communicates with the command and control servers of the perpetrators. It is suspected to be an evolution of a PowerShell-based USB worm previously identified by Symantec.

“LitterDrifter,” scripted in VBS, is distributed as a concealed file on USB drives alongside a decoy LNK link with random names. A distinctive feature of the worm is its ability to connect to a command server extracted from a Telegram channel—a method increasingly utilized since the beginning of this year.

A high-level execution scheme of LitterDrifter USB Worm | Image: Check Point

Signs of potential infections have been detected in Ukraine, the United States, Vietnam, Chile, Poland, Germany, and Hong Kong. There is observed active presence and continual evolution of attack methods in 2023, including rapid data exfiltration immediately after compromise. The company noted that “LitterDrifter was designed to support a large-scale collection operation. It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region.”

Other reports indicate attacks targeting embassies throughout Europe, including in Italy, Greece, Romania, and Azerbaijan. These incursions are linked to the exploitation of a recently discovered vulnerability in WinRAR and phishing emails containing links to specially crafted ZIP files, which trigger the vulnerability and initiate PowerShell scripts from a remote server.