30 November 2022

Chinese cyber spies using USB devices to breach targets in Southeast Asia


Chinese cyber spies using USB devices to breach targets in Southeast Asia

A new cyber-espionage group focused the Southeast Asian region, using a novel self-replicating malware that is currently being spread via infected USB devices and could potentially collect information from air-gapped systems.

Tracked under temporary moniker UNC4191, the group believed to be operating out of China has been observed targeting public and private sector entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines. According to Google-owned Mandiant, the discovered artifacts suggest that the campaign has been ongoing since September 2021.

As part of the malicious campaigns the threat actor used malware families such as the MistCloak launcher, the DarkDew dropper, and the BlueHaze launcher. The MistCloak was used to gain access to the victim network via an infected USB device and then served as a downloader for DarkDew and BlueHaze Windows trojans, with the letter acting as a backdoor for the group and allowed MistCloak to spread to other removable USB devices connected to the hacked network.

“The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems,” Mandiant wrote in a technical report.

“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant,” the researchers added.


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023