A new version of Chinese espionage malware has been observed spreading rapidly via infected USB drives.
The malicious software tool was discovered by Check Point Research (CPR) as part of an attack on European healthcare facilities and was described in an advisory published Thursday.
The Check Point Incident Response Team (CPIRT) investigated this malware attack and found it to be perpetrated by Camaro Dragon, a China-based espionage threat actor also known as Mustang Panda and LuminousMoth.
Read more about Camaro Dragon: New Backdoor MQsTTang by Mustang Panda Group
While the threat actor has traditionally focused on Southeast Asian nations, the incident highlights their global influence, CPR said.
Initial access was obtained using an infected USB drive. An employee who was attending an Asian conference was reportedly infected with a virus as a result of using a USB drive to share a presentation with a colleague.
When the employee returned to the European healthcare facility, malware was introduced from an infected USB drive, leading to further infection of the hospital’s computer systems.
This malware is part of a toolset labeled ‘SSE’ that will be described in a late 2022 Avast report. The infection chain begins with the victim launching a malicious Delphi launcher on the infected USB flash drive, unlocking the main backdoor and infecting other devices. when the drive is connected.
One of the main variants of this malware, WispRider, is particularly strong. It can spread via USB drives using the HopperTick launcher and has additional features such as a bypass mechanism for SmadAV, a popular antivirus software in Southeast Asia.
The malware also employs DLL sideloading and uses security software and components from two major gaming companies for evasive purposes.
“The impact of a successful infection is two-fold: the malware not only establishes a backdoor on the compromised machine, but also spreads to newly attached removable drives,” CPR warned.
“Not only does this approach allow infiltration into potentially isolated systems, it also grants and maintains access to a vast number of entities, including those that are not the primary target.”
The new CPR advisory comes weeks after the company described another attack vector, This is also believed to be due to Camaro Dragon.
