A China-nexus threat actor, well-known for targeting public and private sectors in South East Asia, US, and Europe, is using USB devices to breach systems.
Mandiant, which tracks the malicious activity as UNC4191, says the USB-based attack focuses on the Philippines.
The intrusion begins when a user plugs a compromised USB device into a machine. Following the initial infection, threat actors leverage legitimately signed binaries to side-load malware, such as Mistcloak, Darkdew, and Bluehaze.
“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor. The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems,” Mandiant said.
It assesses that UNC4191 is a China-nexus threat actor. The campaign has been active since at least September 2021.
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests,” Mandiant said.
Cybersecurity pundits have long warned about the usage of USB devices. Inexpensive and portable thumb drives are popular for storing and transporting files, therefore appealing to attackers.
“Attackers can use USB drives to infect other computers with malware that can detect when the USB drive is plugged into a computer. The malware then downloads malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer,” CISA said.
Threat actors can also infect USB drives during production, meaning that malware is installed when a user infects the brand new stick into their computer.
To keep your devices safe, do not plug an unknown USB drive into a computer, use passwords and encryption on your USB drive, and keep personal and business USB drives separate.
More from Cybernews:
Subscribe to our newsletter