An unknown hacking group is behind a new dangerous threat which is called the USBCulprit malware. It is designed to silently infiltrate secured systems that are air-gapped — this means that they will not be connected to the external network. Several countries at the moment are being targeted, primarily located in Asia.
Air-Gapped Computers Spied Upon By The Advanced USBCulprit Malware
An unknown hacking group or individual has created a dangerous new threat identified by many security experts as the USBCulprit malware. In comparison with other general-purpose viruses this one is designed to break into the so-called air-gapped computer devices. These are usually critical infrastructure, servers and other high-profile computing equipment that are deliberately isolated from other network equipment.
There are several names which are being used to refer to the hacker and/or the malware itself: Goblin Panda, Cycldek and Conimes, thanks to the analyzed samples we can review that an extensive feature set has been integrated. There are several categories that are used to describe the individual actions that can be undertaken by the malware:
- Files Interaction — This includes all actions that are related to data manipulation of any kind: creation of files and the modification and removal of existing ones. This also extends to directories.
- Data Theft — The hackers can use the USBCulprit malware to steal files from the locally connected hard drives, removable storage devices and network shares when available.
- Security Related Tasks — This category includes the main methods used to help the virus infiltrate into the target systems.
At the moment the exact infection strategy used by the hackers behind the threat is still not known. The researchers believe that the main engine relies on USB removable media. This means that an infected USB flash drive or external drive must be brought into a network that can reach the target air-gapped computer.
Further Information About The USBCulprit Malware
The infections that lead to the deployment of the USBCulprit malware are caused by infected removable devices or prior virus activity. The hackers are using a threat called NewCore as the main payload delivery mechanism. It itself is divided into two versions – BlueCore and RedCore. They include keylogger functionality that is designed to record the keystrokes and mouse movement input by the users. Another important functionality is the integration of a RDP stealing function — it will detect if any remote desktop login software is installed by the computer administrators and steal the credentials. This will allow the hackers to take over control of the hosts via a legitimate application. From a network administrator perspective this will be flagged as an ordinary login attempt and will not raise any alarm that an intruder has gained access to the network.
These two tools also include the function to deliver the USBCulprit malware as part of their behavior sequence. One of the commands associated with this threat is the collection of documents which will then be exported to the connected removable storage device. The hackers are focusing on a lateral movement strategy meaning that they will rely on the infected USB drive to perform other infections.
Another approach undertaken by the hackers behind the threat is the masking of file components — the hackers will make them appear as they are part of an antivirus program. This will mask the loader and the actual virus.
The analyzed samples indicate that the malware will be loaded via a mechanism called DLL search order hijacking — this will hide the presence of the virus code and launch silently in the background. Right now the main task is to hijack sensitive data and then place it in an encrypted RAR archive file. It will then be copied to the removable storage device from where it will be acquired by the hackers. It is expected that future updates will allow the data to be transferred via the Trojan connection.