China-Linked Threat Actors Utilize Infected USB Drives to Spread Malware

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Check Point Research (CPR) recently discovered a new version of self-propagating malware that spreads through infected USB drives. The cybersecurity company identified this trojan in early 2023, while investigating a cyberattack incident at a European healthcare institution.

The malware has been linked to the Chinese-based espionage threat actor, Camaro Dragon, whose modus operandi is quite similar to Mustang Panda and LuminousMoth.

The primary target of the threat actor has generally been Southeast Asian countries, as CPR found similar USB-related infections in Myanmar, South Korea, Great Britain, India, and Russia. However, the current malware incident revealed the global reach of this group.

During the investigation, it was revealed that the European hospital was not the primary target. The malware had spread due to an employee’s compromised USB drive. The employee had participated in a conference in Asia and used his USB to share his presentation, which led to the drive being infected.

Upon his return to Europe, the employee introduced the USB to the hospital’s computer system when led to the spread of the malware.

The investigation further revealed that the malware is a part of a set of tools discussed by Avast in its 2022 report. The tools were dubbed as SSE. The infection chain starts when the target connects the infected USB flash drive to launch the malicious Delphi launcher known as HopperTick. The main payload variant of the malware, WispRider functions both as a backdoor and tool to infect devices when they connect to a machine.

WispRider also has additional features like bypassing SmadAV, an Indonesian antivirus solution popular in Southeast Asia. To avoid detection, it also deploys DLL side-loading using security software components of two gaming companies and G-DATA, warned CPR.

‘’The ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential impact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted,’’ said CPR.

The increasing usage of USB drives as a vector to spread malware by Chinese threat actors has been cited in various industry reports, including the 2022 Mandiant report on China and UNC4191’s cyber espionage activity.

North Korean Hackers Utilize New Malware With Wiretapping Functionality, Warn Cybersecurity Experts

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

The threat actor identified as APT37, also known as RedEyes, ScarCruft, and Reaper generally carries out monitoring activities, targeting human right activists, North Korean defectors, and university professors.

The group’s latest attack was discovered by South Korea-based AhnLab in May 2023, where they noticed the North Korean threat group APT37 use a malware with a previously undiscovered wiretapping capability. To exfiltrate data, it has a backdoor functionality that uses the Ably platform (a real-time data transfer and messaging platform) and has been developed using the cross-platform program GoLang.

The campaign saw RedEyes use the spear-phishing email tactic, in which the threat actor used a CHM (Compiled HTML Help File) file disguised as a password-protected document. Once executed, the CHM file not only reveals a password but also causes the deployment of a malicious file from a threat actor controlled C2 server. The script identified as PowerShell malware has backdoor functionality. PowerShell malware is known to maintain persistence via an autorun registry key that allows commands to be executed by a hacker controlled C2 server.

The primary focus of the threat actors is stealing information, for which they stealthily carried out the attack to gain access to targeted systems. ‘’These sorts of attacks are difficult for individuals to notice. As such, ASEC is closely tracking the activities of the RedEyes group and responding promptly to prevent further damage,’’ the advisory stated.

To mitigate the risk of cyberattacks, AhnLab experts also recommended users to be vigilant and exercise caution when opening emails or files from unknown sources. The increasing use of infostealer malware and phishing campaigns, makes it imperative that users monitor their accounts in order to identify and mitigate any security threat.