Malware Uses USBs to Help Steal Data: ReportKaspersky: USBCulprit Malware Used Against Targets in Southeast Asia
A hacking group is deploying a new malware strain dubbed USBCulprit that uses USBs and other storage devices to assist in stealing data, according to research from the security firm Kaspersky.
This custom-built malware appears to have been developed by an advanced persistent threat group known as Cycldek, which has been active since 2013 and has mainly targeted defense, energy and government organizations in parts of Southeast Asia, especially Vietnam, according to Kaspersky.
And while the USBCulprit malware appears to be delivered through phishing emails, the malicious code, once it's installed on an air-gapped device, can copy and exfiltrate data from that device to portable storage devices, such as a USB drive.
"It is capable of copying itself to any newly connected removable storage," Giampaolo Dedola and Mark Lechtik, security researchers at Kaspersky, tell Information Security Media Group. "That storage - typically a USB - would need to be physically connected to another machine and the malware in it manually executed to spread onward."
While most of the attacks Kaspersky traced to USBCulprit date back to 2018, the malware is still believed to be active in the wild, according to the report. It's not known how many organizations it's targeted and whether any of these resulted in data theft.
"We can only confirm that the group targeted diplomatic entities and government institutions located in Southeast Asian countries," Dedola and Lechtik note. "The malware itself doesn’t distinguish between stolen files based on content but only their extension. Therefore, we are only left to speculate on the nature of documents retrieved from the victims."
The attacks that Kaspersky tracked start with politically themed phishing emails that contain malicious documents in rich text format. The malware used in the initial phase of these attacks takes advantage of several vulnerabilities in Microsoft Office to infect a targeted device, according to the report.
Once a device is infected, the initial malware deploys a remote access Trojan, or RAT, called NewCore, according to the report. The NewCore RAT comes in two variants called BlueCore and RedCore, which behave in similar ways and use the same infrastructure but are deployed against different targets and are overseen by separate hacking groups within the Cycldek organization, according to Kaspersky.
"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018," according to the report.
BlueCore and RedCore are designed to deploy USBCulprit as the final payload within an infected device, according to the report.
While USBCulprit was only recently discovered and analyzed by Kaspersky, the malicious code dates to 2014 and has slowly changed over the last several years, according to Dedola and Lechtik. One of the biggest changes is that once it's deployed within an infected device, USBCulprit now runs in the system memory and not on a hard drive, the analysts note.
"The malware didn't change much through the years. The most notable modifications were in the way it is loaded and executed, whereby the newer versions would have USBCulprit's payload exposed only in memory after decryption and not on disk, as was done in earlier versions," Dedola and Lechtik tell ISMG.
USBCulprit scans an infected device and runs reconnaissance looking for specific files to copy and exfiltrate. It also has the ability to move laterally through the device, but the malware will wait for the presence of a removable storage device, such as a USB key, before copying and removing files, according to Kaspersky.
"When bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives," according to the report.
Because USBCulprit waits until it detects a USB key or other removable devices, these attacks likely rely on a human operator who gains access to these air-gapped devices, attaches the USB or other storage device and then removes it, according to Kaspersky.
The Cycldek hacking group, which is also known as Goblin Panda, APT 27 and Conimes, appears to be Chinese speaking and primarily interested in organizations in Southeast Asia, according to Kaspersky and security firm CrowdStrike, which has also tracked the group's activities.
While primarily interested in Vietnam, Cycldek is also known to target organizations in Thailand and Laos, according to Kaspersky and CrowdStrike.
Other security researchers have found malware that can penetrate air-gapped devices and networks.
For example, in May, the security firm ESET disclosed details about new malware called Ramsay that’s capable of infiltrating air-gapped networks to steal documents, take screenshots and compromise other devices (see: Cyber-Espionage Malware Targets Air-Gapped Networks: Report).
Managing Editor Scott Ferguson contributed to this report.