Cyber Spies Use USB Devices to Infect Targets

Cyberspies use USB devices

Mandiant specialists talk about an unusual malware campaign affecting targets in Southeast Asia, when cyber spies use USB devices as the initial penetration vector.

The researchers write that they link the discovered incidents to a group that is tracked under the code name UNC4191 (presumably associated with China).

Let me remind you that we also wrote about Ramsay malware attacks PCs, which are isolated from the outside world.

A number of public and private sector organizations are known to have been affected by hacker attacks, primarily in Southeast Asia, but also in the United States, Europe, and the Asia-Pacific region. But first of all, the attackers are concentrated in the Philippines.

Even when the target organizations were based elsewhere, certain systems targeted by UNC4191 were also physically located in the Philippines.the researchers write.

How exactly the infected USB devices fell into the hands of the victims, experts do not specify. Needless to say, there are many options here. For example, at the beginning of this year, the FBI warned that hackers were simply sending out malicious USB devices through the mail, hoping for the curiosity of employees of victim companies. In this way, they seek to infect the systems of organizations and provide a starting point for further attacks. In addition, the good old scattering of flash drives in parking lots is still actual.

We also wrote that Attackers exposed the American company to a rare attack via BadUSB.

After initially infecting systems via a USB device, hackers use binaries with legitimate signatures to download malware onto victims’ computers. Thus, experts immediately identified three new families of malware, which were given the names MISTCLOAK, DARKDEW and BLUEHAZE.

These malware create a reverse shell in the victim’s system, essentially providing a backdoor for hackers. The malware then begins to multiply on its own, infecting any new removable drives connected to compromised machines, which allows malware to penetrate even systems isolated from external networks and equipment.

Given the worm-like nature of this malware, we were only able to detect the later stages of the spread of this threat.the researchers acknowledge.

So far, the company concluded that it discovered the operation of a Chinese hack group, the purpose of which is to obtain and maintain access to public and private organizations, “in order to collect intelligence related to the political and commercial interests of the PRC.”

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *