Chinese cyber espionage known as camaro dragon It has been observed utilizing a new strain of self-propagating malware that spreads via compromised USB drives.
“Historically, their main focus has been Southeast Asian countries, but this latest discovery reveals their global reach and highlights the alarming role USB drives play in spreading malware.”・The point was made in a new study shared with HackerNews.
A cybersecurity firm that found evidence of USB malware infections in Myanmar, South Korea, the UK, India and Russia said the findings were the result of a cyber incident it investigated at an unnamed European hospital in early 2023.
Investigation revealed that this entity was not directly targeted by the adversary, but was compromised via an employee’s USB drive and was infected when it was connected to a colleague’s computer at a conference in Asia.
“As a result, when an employee returned to a medical facility in Europe, he accidentally brought an infected USB drive, which spread the infection to the hospital’s computer systems,” the company said.
Camaro Dragon shares tactical similarities with activity clusters tracked as Mustang Panda and LuminousMoth, and the hostile crew recently used a Go-based backdoor called TinyNote and malicious router firmware called HorseShell. Linked to implants.
The latest infection chain consists of a Delphi launcher known as HopperTick propagating via USB drives and its main payload called WispRider, which is responsible for infecting devices connected to the machine.
“When a benign USB thumb drive is inserted into an infected computer, the malware detects new devices inserted into the PC and manipulates their files, creating several hidden folders at the root of the thumb drive.” said a Check Point researcher.
In addition to infecting the current host if it is not infected, WispRider is responsible for communicating with remote servers, compromising newly attached USB devices, executing arbitrary commands, and performing file operations. fulfill.
Some variants of WispRider are backdoors with the ability to bypass an Indonesian antivirus solution called Smadav, as well as relying on DLL sideloading with components of security software such as G-DATA Total Security. also works as
Another post-exploit payload delivered with WispRider is a stealer module called Disk Monitor (HPCustPartUI.dll) that loads predefined extensions (docx, mp3, wav, m4a, wma, aac, cda, mid ) for extraction. .
This is not the first time Chinese threat actors have been observed utilizing USB devices as an infection vector to reach environments well beyond the threat actor’s primary interest.
In November 2022, Google-owned Mandiant identified UNC4191, a threat actor suspected of ties to China, as the cause of a series of espionage attacks in the Philippines that led to the distribution of malware such as MISTCLOAK, DARKDEW, and BLUEHAZE. bottom.
A subsequent report published by Trend Micro in March 2023 revealed an overlap between UNC4191 and Mustang Panda, and linked the latter to the use of MISTCLOAK and BLUEHAZE in spear phishing campaigns targeting Southeast Asian countries.
This development has seen attackers aggressively altering their tools, tactics, and procedures (TTPs) to bypass security solutions, while at the same time deploying a vast collection of custom tools to exfiltrate sensitive data from victim networks. It is a sign of dependence on
“The Camaro Dragon APT group continues to use USB devices as a method of infecting target systems, effectively combining this technique with other established tactics,” the researchers said.
