Chinese Espionage Malware Targets European Healthcare via USB Drives

The malware campaign has been attributed to the Chinese APT group Mustang Panda, also known as Camaro Dragon.

It all started when an employee attending an Asian conference unknowingly introduced malware to their organization in Europe by sharing a presentation with a colleague using a compromised USB drive.

According to a report by Check Point Research (CPR), a recent surge in new versions of Chinese espionage malware has raised concerns as they rapidly propagate through infected USB drives.

The malware campaign was discovered during an investigation into an attack on a healthcare institution in Europe, shedding light on the activities of the Chinese threat actor known as Mustang Panda, also known as TA416, Red Lich, Earth Preta, HoneyMyte, and Bronze President, Camaro Dragon and LuminousMoth.

It is worth noting that earlier in March of this year, Mustang Panda was observed using a new MQsTTang backdoor against government and political organizations across Asia and Europe.

While Mustang Panda has historically focused on Southeast Asian nations, this incident has unveiled their expanded global reach. The attack initially gained access to the institution’s systems through an infected USB drive.

An employee, who had attended a conference in Asia, unknowingly shared a presentation with a colleague using the compromised USB drive, thus introducing the malware into the organization upon their return to Europe.

The malware, as stated in CPR’s blog post, by part of the “SSE” toolset previously reported by Avast, employs a malicious Delphi launcher stored on the infected USB flash drive. Once executed, it deploys a main backdoor and spreads the infection to other connected drives.

One particularly potent variant of the malware, named WispRider, employs the HopperTick launcher to propagate through USB drives. Notably, it includes a bypass mechanism specifically designed to evade SmadAV, a popular antivirus software in Southeast Asia.

To enhance its evasion capabilities, the malware utilizes DLL-sideloading techniques, leveraging components from security software and prominent gaming companies. This multi-pronged approach enables the malware to establish backdoors on compromised machines while simultaneously infecting newly connected removable drives, potentially infiltrating isolated systems and granting access to a wide range of entities beyond the primary targets.

The CPR advisory serves as a timely warning following the company’s recent identification of a separate attack vector attributed to the Mustang Panda. The ongoing activities of this Chinese threat actor highlight the critical need for organizations to remain vigilant against evolving cyber threats and maintain robust security measures, especially when handling external storage devices like USB drives.

The technical research on this growing threat is available here.

  1. Hackers mailing USB drives to spread ransomware, FBI
  2. Hackers sending malware USBs with Best Buy Gift Cards
  3. US Military Targeted by Unsolicited Malicious Smartwatches
  4. New malware tool steals files from airgapped PCs using USBs
  5. USB Wormable Raspberry Robin Malware Hits Windows Installer
  6. VictoryGate cryptominer infected 35,000 devices via USB drives
Related Posts