HQ/EMEAFind out how we can help your business
Researchers uncover a new malware strain that the Camaro Dragon group uses to propagate via USB drivers. Based on reports, the malware could execute numerous capabilities similar to the weapons used by China-based threat groups, such as LuminousMoth and Mustang Panda. Moreover, the malware could affect networked storage devices.
Earlier this year, an investigation into an attack against a European healthcare firm confirmed that the attack was not a targeted type but an unintended consequence. Instead, the cause of the compromise is a self-propagating malware that spreads via USB drives from the Camaro Dragon threat group.
A separate research group spotted several updated versions of the malware kit, including HopperTick and WispRider, which displayed similar capabilities for propagating via flash drives. These incidents have caused many unintended infections to numerous devices.
Researchers also associate other tools, such as the Go-based backdoor TinyNote and HorseShell, with the same hacker group that developed the new infectious malware. Recent reports also noted that these tools shared similar infrastructure and displayed similar operational objectives, which provides further evidence of the threat actors’ behaviour.
Launching a malicious USB flash drive starts the Camaro Dragon group’s malware infection.
Cybersecurity researchers explained that the infection method of the Camaro Dragon malware commences after an unsuspecting victim runs a malicious Delphi launcher carried by a malicious USB.
Furthermore, the action could also infect connected devices if the malware runs on a connected machine. Hence, the malware could impact other enterprise IT environments more since the infected machines could install it on newly connected network drives.
Lastly, the malware could perform DLL sideloading, using components from security software such as G-DATA Total Security, Riot Games and Electronic Arts.
The Camaro Dragon APT group continues to utilise USB devices to infect targeted systems. The attackers use a mixed activity in this process with other well-established strategies, such as DLL sideloading and bypassing security detection from an AV solution. This propagation across multiple devices significantly improves the attackers’ reach and impact on targeted entities.
