Data center: Ashburn, VA

Telegram Chat : MBHH_x86

Email Us:

Mobile Hacker For Hire, hire a hacker, hiring a hacker, hacker with proof

Russian hackers using new Graphiron information stealer in Ukraine

Table of Contents

Hacker typing on a keyboard

The Russian hacking group known as ‘Nodaria’ (UAC-0056) is using a new information-stealing malware called ‘Graphiron’ to steal data from Ukrainian organizations.

The Go-based malware can harvest a wide range of information, including account credentials, system, and app data. The malware will also capture screenshots and exfiltrate files from compromised machines.

Symantec’s threat research team discovered that Nodaria has been using Graphiron in attacks since at least October 2022 through mid-January 2023.

Stealing sensitive information

Graphiron consists of a downloader and a secondary information-stealing payload. 

When launched, the downloader will check for various security software and malware analysis tools, and if none are detected, download the information-stealing component.

Some of the processes the downloader checks for include BurpSuite, Charles, Fiddler, rpcapd, smsniff, Wireshark, x96dbg, ollydbg, and idag.

The malware uses names such as OfficeTemplate.exe and MicrosoftOfficeDashboard.exe to masquerade as a Microsoft Office component on the breached system.

Its capabilities include the following:

  • Read MachineGuid
  • Obtain the IP address from
  • Retrieve the hostname, system info, and user info
  • Steal data from Firefox and Thunderbird
  • Steal private keys from MobaXTerm.
  • Steal SSH known hosts
  • Steal data from PuTTY
  • Steal stored passwords
  • Take screenshots
  • Create a directory
  • List a directory
  • Run a shell command
  • Steal an arbitrary file

The malware uses the following PowerShell code to steal passwords from the Windows Vault, the system’s built-in password manager, where saved credentials are stored in AES-256 encrypted form.

PowerShell command to steal user passwords
PowerShell code to retrieve user passwords (Symantec)

Graphiron uses AES encryption with hardcoded keys to communicate with the C2 server through port 443, a noteworthy similarity to older Nodaria tools like GraphSteal and GrimPlant.

Nodaria targeting Ukraine

Nodaria is the same threat actor that deployed a fake ransomware named ‘WhisperGate‘ on Ukrainian networks in January 2022, performing destructive data-wiping attacks.

Typically, Russian hackers deliver their payloads to targets via spear-phishing emails, with the ongoing war providing plenty of opportunity for effective baits.

“While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.” – Symantec.

Graphiron is the latest addition to Nodaria’s arsenal, combining the features of the group’s past custom tools into one payload while also featuring obfuscation.

This is a sign that Nodaria will continue to target Ukrainian organizations, attempting to collect valuable information from high-profile targets.

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!