The malware reveals the growing capabilities of cybercriminals.
A Chinese criminal group named Cycldek (AKA Goblin Panda and Conimes) has been conducting cyberattacks in Southeast Asian countries since 2013 with Vietnam being the foremost recipient.
For their successful execution, it has often been utilizing a program named NewCore RAT which has 2 variants named BlueCore and Redcore, each with their own set of tools to achieve their specific motives.
However, a common tool used by both groups has been recently discovered by Kaspersky which was previously undetected.
Dubbed USBCulprit by researchers; the malware aims at extracting data with the help of USB drive from air-gapped computers and currently targeting users in 3 countries, namely Vietnam, Thailand, and Laos.
A map below shows how both variants relate to the common piece of malware discovered:
It is worth noting that a couple of weeks ago it was reported that a new malware called Ramsay has been stealing data from air-gapped PCs.
As for USBCulprit, it is believed to be operating since 2014. The security firm states that the most recently observed samples seem to be from 2019 and also feature functionality that allows it to execute certain files with “a specific name” from the connected USB.
How it works is by searching the victim’s computer looking out for specific file extensions that are of interest to it (pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf.). Once found, it transfers these to a connected USB drive.
Adding to this, the researchers explain in their blog post how “it can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually”.
Nonetheless, it is speculated that USBCulprit may not be operating autonomously but with the help of human intervention. Hinting at this is the fact that no method was observed which allowed the malware to execute itself “from infected media.” Furthermore, the researchers state,
Along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.
To conclude, the tools that are observed in cybercrime can usually give us an idea about the capabilities and reach of the perpetrators. In this case, the researchers believe that with the current campaign and the previous variants, Cycldek is very well set to conduct attacks in Southeast Asia.
Furthermore, it is important to remember that this perhaps represents one of the various ways in which air-gapped computers can be infiltrated. Previously, on HackRead.com, we’ve covered how techniques such as the usage of sound waves to power supply have been seen, these are expected to continue but so are new ones out in the field which everyone should anticipate.