A new cyber-espionage group focused the Southeast Asian region, using a novel self-replicating malware that is currently being spread via infected USB devices and could potentially collect information from air-gapped systems.
Tracked under temporary moniker UNC4191, the group believed to be operating out of China has been observed targeting public and private sector entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines. According to Google-owned Mandiant, the discovered artifacts suggest that the campaign has been ongoing since September 2021.
As part of the malicious campaigns the threat actor used malware families such as the MistCloak launcher, the DarkDew dropper, and the BlueHaze launcher. The MistCloak was used to gain access to the victim network via an infected USB device and then served as a downloader for DarkDew and BlueHaze Windows trojans, with the letter acting as a backdoor for the group and allowed MistCloak to spread to other removable USB devices connected to the hacked network.
“The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems,” Mandiant wrote in a technical report.
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant,” the researchers added.