Stealthy USB: New versions of Chinese espionage malware propagating through USB devices found by Check Point Research

Highlights:

• Check Point Research (CPR) puts a spotlight on a Chinese state sponsored APT malware propagating via infected USB drives
• The new malware version shows malware spreading rampantly via USB, crossing network borders and physical continents with ease
• CPR calls out to organizations to protect against similar attack methods, and secure their assets which are using USB drives

Executive Summary

In a recent incident at a healthcare institution in Europe, the Check Point Incident Response Team (CPIRT) uncovered a disturbing malware attack. This incident shed light on the activities of Camaro Dragon, a Chinese-based espionage threat actor also known as Mustang Panda and LuminousMoth. While their primary focus has traditionally been Southeast Asian countries, this latest discovery reveals their global reach and highlights the alarming role USB drives play in spreading malware.

The Uninvited Guest: Malware Sneaks In Through USB Drives:

The healthcare institution fell victim to malware that infiltrated their systems through an infected USB drive. This incident prompted Check Point Research (CPR) to conduct a thorough investigation, leading to the discovery of newer versions of the malware. These malicious programs possess the ability to self-propagate through USB drives, making them potent carriers of infection, even beyond their intended targets.

Patient Zero: Healthcare institution gets infected

Patient Zero in the healthcare institution infection was identified as an employee who had participated in a conference held in Asia. He had the opportunity to share his presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had a computer that was infected, so when the employee shared his USB drive with them, the drive became unknowingly infected as a result. Consequently, upon returning to the healthcare institution in Europe, the employee inadvertently introduced the infected USB drive, which led to spread of the infection to the hospital’s computer systems.

This incident is an in-the-wild sighting of a set of tools described back in late 2022 in the Avast report (the toolset is labelled there as SSE), which analyzed several malicious tools staged on one of the distribution servers researchers attributed to Mustang Panda. The infection chain starts with a victim launching a malicious Delphi launcher on the infected USB flash drive – which reveals all the victim’s files (concealed when the USB drive was infected in the first place). The launcher is responsible for unleashing the main backdoor and infecting each drive when they are plugged in.

Meet WispRider: The Evolved Payload:

One variant of the malware, known as WispRider, emerged as the main culprit of the infection. Its creators have refined its capabilities, equipping it with backdoor functionality and the ability to spread through USB drives using the HopperTick launcher. Adding to this, WispRider also boasts additional features, including a bypass mechanism for SmadAV, a popular antivirus software in Southeast Asia. It even resorts to DLL-sideloading, using for evasion purposes components from security software like G-DATA Total Security, as well as major gaming companies like Electronic Arts and Riot Games.

Check Point Research notified these companies were on the above-mentioned use of their software by the attackers.

The Unmistakable USB Connection:

This report, backed by corroborating evidence from other industry sources, confirms that Chinese affiliated threat actors, such as Camaro Dragon, continue to harness the power of USB devices as an infection vector. Their reliance on USB drives to facilitate malware propagation underscores the urgent need for organizations to be vigilant and take steps to protect their assets.

CPR calls out to organizations to guard against USB-based Attacks:

To shield your organization from the risks associated with USB drives, consider implementing the following measures:

• Raise Awareness: Educate employees about the potential dangers of using USB drives from unknown or untrusted sources. Encourage cautious behavior and discourage the use of unfamiliar drives on corporate devices.
• Establish Strict Policies: Develop clear guidelines regarding the use of USB drives within your organization. Consider limiting or prohibiting their use, except when obtained from trusted sources and scanned for malware.
• Seek Secure Alternatives: Explore alternative solutions, such as cloud storage or encrypted file-sharing platforms, to reduce reliance on physical USB drives and mitigate associated
• Keep Security Measures Up to Date: Regularly update antivirus software and other security measures across all devices. Conduct periodic scans of USB drives for potential malware infections.
• Enforce Device Management: Implement robust device management policies to monitor and control the use of USB drives. Restrict unauthorized access, enforce encryption, and monitor USB activities for any suspicious behavior.

Adopting prevention-first security solutions such as Check Point Endpoint and Threat Emulation to detect zero-say and unknown attacks, even from the internet, even if such malware is spread across the organization is also another means to further defend against such attacks.

Conclusion:

As the incident at the healthcare institution demonstrated, USB drives becomes again a prominent avenue for malware to infiltrate organizations worldwide. By staying informed and adopting proactive security measures, organizations can effectively defend against USB-based attacks and safeguard their valuable assets from cyber threats.

Read the full deep dive report at http://research.checkpoint.com