A Chinese-speaking threat actor has created a new malware aimed at stealing information from air-gapped networks, according to a latest report from Kaspersky.

The hacker group in question is Cycldek APT (a.k.a. Goblin Panda, APT 27 and Conimes) that has been targeting governments in Southeast Asia since 2013 using an extensive toolset for lateral movement and information stealing consisting of custom malware, as well as living-off-the-land techniques.

“One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose,” the researchers wrote.

Over the past two years Cycldek has been busy targeting government entities across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools, such as Royal Road builder, the NewCore RAT malware and other previously unknown implants.

During the analysis of the NewCore malware the researchers uncovered two different variants (named BlueCore and RedCore) centered around two clusters of activity. Both variants were deployed as side-loaded DLLs and shared multiple similarities in code and behavior. However, the RedCore variant contained some exclusive features, namely a keylogger, a device enumerator, a proxy server, and an RDP logger that captures details about users connected to a system via RDP.

“By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others are proprietary and demonstrate identical code that may have been written by a shared developer,” the researchers said.

“Each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018, ” the report said.

As for USBCulrpit, this tool is downloaded by RedCore implants and is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

The USBCulrpit malware has been circulating in the wild since 2014, with the latest samples spotted at the end of last year.

The initial infection mechanism involves malicious binaries masquerading as legitimate antivirus components loading USBCulprit using technique called DLL search order hijacking. The malware then collects the relevant information, saves it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device.

“Cycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia,” Kaspersky concluded.