The vogue of dangerous trojans continues. Researchers have recently discovered a USBCulprit malware, which is part of an APT known as Cycldek. Investigators claim “Cycldek” to be part of the arsenal of an APT that targets government authorities. The same APT group has a history to dubb and aim air-gapped devices via USB.
Cycldek also acknowledged as Goblin Panda, and APT 27 had been targeting government agencies for quite a long time. According to firewall distros “Kaspersky,” it has been supplementing sophisticated tools over time. Security personnel stated that the malware was first deployed in Vietnam, Thailand, and Laos.
The Kaspersky analyst also added that it holds both lateral mobilities, which means that it could traverse through the network to obtain the targeted data and harvest user credentials.
Further, they stated that additional features of USBCulprit have an inbuilt mechanism to reach physically isolated machines, Where the data communication occurs through removable(tangible) media such as a USB drive.
Once the USB is installed, it traverses through the infected devices and collects relevant documents possessing specific extensions. According to its analogy, further, these assets are transferred to USB drives, which are connected to the system. This implies that the malware is intended to reach air-gapped machines or those that are not straight connected to the internet.
Insights of USB culprit:
While examining the code, the Security analyst found that the very first version for the binary modules dates back to 2014, while the current timestamped matched to the previous year.
Mostly, The attacks began with a politically themed phishing email that consists of a boobytrapped RTF documents that exploit the system. Once compromised, the users are tainted with a backdoor payload called “NewCore RAT.” Usually, the malware is compromised of two different data-stealing variants-BlueCore and RedCore. Bluecoreis to be deployed against diplomatic and government targets in Vietnam, whereas RedCore was intended to be used in Vietnam.
Both the data-stealing variants are capable of downloading USBCulprit and escalate some other tools, such as a custom backdoor, a tool for stealing cookies, and a tool that takes user credentials from Chromium-based browser.
The applications are crafted in a way that it could trick down the security mechanisms. It consists of AV components like wsc_proxy.exe “Avast remediation service,” qcconsol.exe, and mcvsshld.exe “McAfee components,” as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates ‘googleupdate.exe.” These tools are formulated to bypass the security and grant administrative permissions during execution
Mechanism followed by USB culprit:
Once the malware loads to the system memory and executes itself, it goes through three phases:
-
Data scanning and recon
-
Data exfiltration to or from a USB device
-
lateral movement
In the data collection phase, the payload executes two functions, named “CUSB:: RegHideFileExt” and “CUSB:: RegHideFile,” . These two functions are intended to modify registry keys and hide the extensions of files in Windows. The malware scans for the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. The compromised files are then ordered into encrypted RAR archives.
Next up is the info-stealing phase; it includes functions that are intended to capture USB data. The payload attempts to intercept the connection of new media and verifies it corresponding to the removable drive. When the USB is connected, the intrusion determines whether or not RAR archives should be copied to the removable drive.
Further, it searches for a directory named ‘$Recyc1e.Bin’ in the main memory and, if not found, will be created. This directory is used for copying files directly to the source path. In order to understand the direction of copying files, a particular marker indicator file named ‘1.txt’ is searched locally.
In the final stage, another marker file named ‘2.txt’ will be indexed to determine whether or not the lateral movement should be executed. The malware tends to be more lethal when properly executed. Besides, USBCulprit is also capable of updating itself. The modules used in the malware searches for existing predefined files which is further executed upon the USB.
Conclusion:
The cybersecurity personnel noted that USBCuprit malware does not automatically execute upon USB connection, which “leads to believe the malware is supposed to be run manually by a [physically present] human handler. They concluded that malware should not be overlooked because of its much widespread presence in Southeast Asia and a much more sophisticated toolset that had been generated.
