A notorious Chinese cyber espionage group, Camaro Dragon, has emerged with a new strain of self-propagating malware that spreads through compromised USB drives. This recent discovery has revealed the global reach of the group and underscores the alarming role played by USB drives in malware dissemination, according to cybersecurity firm Check Point.
Check Point's research uncovered instances of USB malware infections in several countries, including Myanmar, South Korea, Great Britain, India, and Russia. The findings stem from a cyber incident investigated by the company at an undisclosed European hospital in early 2023.
The investigation revealed that the hospital was not directly targeted by Camaro Dragon. Instead, an employee's USB drive became infected when plugged into a colleague's computer at an Asia-based conference. Unbeknownst to the employee, the infected USB drive introduced the malware to the hospital's computer systems upon their return to Europe.
Camaro Dragon shares tactical similarities with other activity clusters, such as Mustang Panda and LuminousMoth. Recently, the group has been associated with a Go-based backdoor called TinyNote and a malicious router firmware implant known as HorseShell.
The malware chain starts with a Delphi launcher named HopperTick, which propagates through USB drives. Its primary payload, WispRider, infects devices when connected to an infected machine. When a benign USB thumb drive is inserted into an infected computer, WispRider detects it, manipulates its files, and creates hidden folders at the root of the drive.
WispRider not only infects the current host but also communicates with a remote server, compromises newly connected USB devices, executes arbitrary commands, and performs file operations. Some variants of WispRider also act as a backdoor, bypassing antivirus solutions like Smadav and leveraging DLL side-loading using components from security software such as G-DATA Total Security.
Additionally, a post-exploitation payload called disk monitor (HPCustPartUI.dll) accompanies WispRider. This module stages files with specific extensions for exfiltration, including docx, mp3, wav, m4a, wma, aac, cda, and mid.
It's not the first time Chinese threat actors have utilized USB devices as an infection vector. In November 2022, Mandiant, owned by Google, attributed UNC4191, a suspected Chinese-linked threat actor, to espionage attacks in the Philippines involving malware like MISTCLOAK, DARKDEW, and BLUEHAZE. A subsequent report from Trend Micro in March 2023 connected UNC4191 to Mustang Panda, revealing spear-phishing campaigns targeting Southeast Asian countries.
The constant evolution of tools, tactics, and procedures by threat actors demonstrates their determination to bypass security solutions. With a wide range of custom tools at their disposal, these actors continue to exfiltrate sensitive data from victim networks.
Comments