User Guide
Synapse-ORKL User Guide
Synapse-ORKL adds new Storm commands to allow you to query the ORKL API.
Getting Started
Check with your Admin to enable permissions.
Examples
Search for reports by a query string
Search for reports and yield the results:
> orkl.report.search graphiron --size 1 --yield
fileparser parsing sha256: ea10fd8c4838658ccc50af6dbaa08a84caf9cc3fe994213cc6f77810e8708240
WARNING: pdftotext library unavailable, cannot parse PDF for text content
media:news=e045ad39fedf2bda722fb9effa71630e
.created = 2024/05/07 20:04:40.790
:ext:id = 2715ceef-a68f-46e2-80e4-ea1bdb5ee039
:file = sha256:ea10fd8c4838658ccc50af6dbaa08a84caf9cc3fe994213cc6f77810e8708240
:published = 2023/03/04 02:06:34.540
:publisher:name = orkl
:summary = Graphiron: New Russian Information Stealing Malware Deployed Against
Ukraine
symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
Russia-linked Nodaria group has deployed a new threat designed to steal a wide range
of information from infected computers.
The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in
Ukraine. The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of information
from the infected computer, including system information, credentials, screenshots, and files.
The earliest evidence of Graphiron dates from October 2022. It continued to be used until at least mid-January 2023
and it is reasonable to assume that it remains part of the Nodaria toolkit.
Graphiron functionality
Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload
(Infostealer.Graphiron).
The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check
against a blacklist of malware analysis tools by checking for running processes with the names listed in Table 1.
Process names
BurpSuite, BurpSuiteFree, CFF Explorer, Charles, DumpIt, Fiddler, HTTPDebuggerSVC, HTTPDebuggerUI,
HookExplorer, Immunity, ImportREC, LordPE, MegaDumper, NetworkMiner, PEToolW, Proxifier, RAMMap,
RAMMap64, ResourceHacker, SysInspector, WSockExpert, WinDump, Wireshar, agent.py, autoruns, autoruns,
dbgview, disassembly, dumpcap, filemon, httpdebugger, httpsMon, ida,idag, idag64, idaq, idaq64, idau, idau64,
idaw, idaw64, joeboxcontrol, joeboxserver, mitmdump, mitmweb, ollydbg, pestudio, proc_analyzer, processhacker,
procexp, procexp64, procmon, procmon64, protection_id, pslist, reconstructor, regmon, reshacker, rpcapd, scylla,
scylla_64, scylla_86, smsniff, sniff_hit, tcpvcon, tcpview, tshark, vmmat, windbg, x32dbg, x64dbg, x96dbg
Table 1: Graphiron checks against a blacklist of malware analysis tools by checking for running processes with
specific names
If no blacklisted processes are found, it will connect to a C&C server and download and decrypt the payload before
adding it to autorun.
The downloader is configured to run just once. If it fails to download and install the payload it won’t make further
attempts nor send a heartbeat.
Graphiron uses AES encryption with hardcoded keys. It creates temporary files with the ".lock" and ".trash"
extensions. It uses hardcoded file names designed to masquerade as Microsoft office executables: OfficeTemplate.exe
and MicrosoftOfficeDashboard.exe
The payload is capable of carrying out the following tasks:
Reads MachineGuid
Obtains the IP address from https://checkip.amazonaws.com
Retrieves the hostname, system info, and user info
Steals data from Firefox and Thunderbird
Steals private keys from MobaXTerm.
Steals SSH known hosts
Steals data from PuTTY
1/3
Steals stored passwords
Takes screenshots
Creates a directory
Lists a directory
Runs a shell command
Steals an arbitrary file
Password theft is carried out using the following PowerShell command:
[void]
[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault
= New-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassw
ord();$_} | Select UserName, Resource, Password | Format-Table –HideTableHeaders
The following command was used to export the list of PuTTY sessions:
"CSIDL_SYSTEM\reg.exe" query HKCU\Software\SimonTatham\Putty\Sessions
Similarity to older tools
Graphiron has some similarities with older Nodaria tools such as GraphSteel and GrimPlant. GraphSteel is designed
to exfiltrate files along with system information and credentials stolen from the password vault using PowerShell.
Graphiron has similar functionality but can exfiltrate much more, such as screenshots and SSH keys.
In addition to this, as with earlier malware, Graphiron communicates with the C&C server using port 443 and
communications are encrypted using the AES cipher.
Malware
Go
version
Internal
name
Obfuscation
Libraries used
Infostealer.Graphiron
1.18
n/a
yes
jcmturner/aescts, buger/jsonparser, golang/protobuf,
kbinani/screenshot, lxn/win, mattn/go-sqlite,
tidwall/gjson, anmitsu/go-shlex
Downloader.Graphiron
1.18
n/a
yes
jcmturner/aescts
GraphSteel
1.16
Elephant
no
buger/jsonparser, aglyzov/charmap,
denisbrodbeck/machineid, gorilla/websocket,
jcmturner/aescts, matn/go-sqlite, tidwall/gjson
GrimPlant
1.16
Elephant
no
jcmturner/aescts, denisbrodbeck/machineid,
golang/protobuf, kbinani/screenshot, lxn/win,
anmitsu/go-shlex
Table 2: Comparison between Graphiron and older Nodaria tools (GraphSteel and GrimPlant)
Nodaria
Nodaria has been active since at least March 2021 and appears to be mainly involved in targeting organizations in
Ukraine. There is also limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan.
Third-party reporting has also linked the group to attacks on Georgia.
The group sprang to public attention when it was linked to the WhisperGate wiper attacks that hit multiple Ukrainian
government computers and websites in January 2022. When WhisperGate was initially loaded onto a system, the
malware would overwrite the portion of the hard drive responsible for launching the operating system when the
machine is booted up with a ransom note demanding $10,000 in Bitcoin. However, this was just a decoy as the
WhisperGate malware destroys data on an infected machine and it cannot be recovered, even if a ransom is paid.
2/3
The group’s usual infection vector is spear-phishing emails, which are then used to deliver a range of payloads to
targets. Custom tools used by the group to date include:
Elephant Dropper: A dropper
Elephant Downloader: A downloader
SaintBot: A downloader
OutSteel: Information stealer
GrimPlant (aka Elephant Implant): Collects system information and maintains persistence
GraphSteel (aka Elephant Client): Information stealer
Like Graphiron, many of Nodaria’s earlier tools were written in Go. Graphiron appears to be the latest piece of
malware authored by the same developers, likely in response to a need for additional functionality. While GraphSteel
and GrimPlant used Go version 1.16, Graphiron uses version 1.18, confirming it is a more recent development.
While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity over
the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
SHA-256:
0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 — Downloader.Graphiron
878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db — Downloader.Graphiron
80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 — Infostealer.Graphiron
eee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6 — Infostealer.Graphiron
f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1 — Infostealer.Graphiron
f86db0c0880bb81dbfe5ea0b087c2d17fab7b8eefb6841d15916ae9442dd0cce — Infostealer.Graphiron
Network:
208.67.104[.]95 — C&C server
3/3
:title = graphiron: new russian information stealing malware deployed against ukraine
:updated = 2023/03/10 02:19:32.582
:url = https://orkl.eu/libraryEntry/2715ceef-a68f-46e2-80e4-ea1bdb5ee039
:url:fqdn = orkl.eu
#rep.orkl.3p.aptnotes
Pivot to referenced threat actors and tools
> it:exec:query:text=graphiron -(found)> media:news -(refs)> risk:threat tee { } { -(uses)> risk:tool:software }
risk:threat=e80bfad1a7e2f68ff54933c4a9d41969
.created = 2024/05/07 20:04:42.955
:org:name = saintbear
:org:names = ['frozenvista', 'nascent ursa', 'nodaria', 'ta471', 'uac-0056', 'unc2589']
:reporter = 7ac03807fc31f6741f3490ec44f7c03b
:reporter:name = mispgalaxy
risk:threat=de795c8ce5565246b5d721fab4f6f9f9
.created = 2024/05/07 20:04:41.182
:org:name = saintbear
:org:names = ['ember bear', 'lorec53', 'nodaria', 'saintbear', 'ta471', 'uac-0056', 'unc2589']
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
risk:tool:software=1049a9be3fa5ef8b933ad554e0c74006
.created = 2024/05/07 20:04:41.694
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = elephant implant
risk:tool:software=f6752f00466d19659d22e0d075397489
.created = 2024/05/07 20:04:41.998
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = grimplant
risk:tool:software=f270f557c25683d16cce19fd8ce898cf
.created = 2024/05/07 20:04:41.295
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = agentemis
risk:tool:software=0c44a5eed65c8fc6fe0021847c14bb53
.created = 2024/05/07 20:04:42.099
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = outsteel
risk:tool:software=aad83d8886a43a19b080e2ceb1dca55e
.created = 2024/05/07 20:04:41.898
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = graphiron
risk:tool:software=86ed72e056925c30b7259ca41de8ad46
.created = 2024/05/07 20:04:41.496
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = cobaltstrike
risk:tool:software=b04e7fd2578b41b61729e4d7c2a9c4e5
.created = 2024/05/07 20:04:41.396
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = cobalt strike
risk:tool:software=13e6e238c95fe82412eb1a5c37175438
.created = 2024/05/07 20:04:41.595
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = elephant client
risk:tool:software=6728c8a8a781f183aae4a38efebddf38
.created = 2024/05/07 20:04:42.401
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = cobeacon
risk:tool:software=3cd7e36f3de8558852edd7f5dad40a0e
.created = 2024/05/07 20:04:41.794
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = graphsteel
risk:tool:software=c8adc8d1195c936b374a6cc7f35d7c33
.created = 2024/05/07 20:04:42.300
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = saintbot
risk:tool:software=004be6861434653776b016212a61c3c8
.created = 2024/05/07 20:04:42.199
:reporter = c40557e1ba6bef185ded544fe46b46aa
:reporter:name = etda
:soft:name = saint bot
risk:threat=c65979ba60576929f54a8a603f69e13a
.created = 2024/05/07 20:04:42.521
:org:name = ember bear
:org:names = ['bleeding bear', 'ember bear', 'lorec bear', 'lorec53', 'saint bear', 'uac-0056', 'unc2589']
:reporter = fa0e470ba9852ccbef6477e9663394f9
:reporter:name = mitre
risk:tool:software=1378caad4f754d3ca0c4e416b2cb77c5
.created = 2024/05/07 20:04:42.633
:reporter = fa0e470ba9852ccbef6477e9663394f9
:reporter:name = mitre
:soft:name = outsteel
risk:tool:software=dddc2749c73cbbea998e35258cbf958e
.created = 2024/05/07 20:04:42.836
:reporter = fa0e470ba9852ccbef6477e9663394f9
:reporter:name = mitre
:soft:name = whispergate
risk:tool:software=316f184574a4366e3bd0489f53561557
.created = 2024/05/07 20:04:42.736
:reporter = fa0e470ba9852ccbef6477e9663394f9
:reporter:name = mitre
:soft:name = saint bot
Create a cron job to ingest the report feed
> cron.add --name orkl.report.feed --hour 3 { orkl.report.feed }
Created cron job: 564816be2d87ba72616913df9b1a915b
Use of meta:source nodes
Synapse-ORKL uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the ORKL API.
> meta:source=c80b79d58c39c3ba357145fab5331f65
meta:source=c80b79d58c39c3ba357145fab5331f65
.created = 2024/05/07 20:04:40.647
:name = orkl api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-ORKL. The following example shows how to filter the results of a query to include only results observed by Synapse-ORKL:
> it:exec:query:text=graphiron +{ <(seen)- meta:source=c80b79d58c39c3ba357145fab5331f65 }
it:exec:query=6976f18bd543c6b2205087062829f16b
.created = 2024/05/07 20:04:40.761
:api:url = https://orkl.eu/api/v1/library/search
:opts = {'full': True}
:text = graphiron
:time = 2024/05/07 20:04:40.744