Cybersecurity firm Mandiant recently discovered that a threat actor known as UNC4990 uses USB devices to inject malware payloads.
Based on the investigation, it was found that they have been exploiting reputable online platforms to host encoded payloads ridden with malware.
Utilizing Trusted Platforms for Covert Operations
Recently, Mandiant discovered that there's a group of hackers using USB devices to spread infection on media hosting sites. They hide the malware payload on these platforms.
UNC4990 strategically conceals encoded payloads within forums and video descriptions on media hosting platforms. These payloads, disguised as simple text strings, play a crucial role in the attack chain, facilitating the download and execution of malware during cyber assaults, according to Mandiant.
Related Article: NSO Group's Pegasus Spyware Targets at Least 35 Critics Tied to Jordan
Involuntary Payload Hosting
Bleeping Computer reports that the attack commences when victims unwittingly click on a malicious LNK shortcut file from a USB drive. The file triggers a PowerShell script, explorer.ps1, initiating the download of an intermediary payload named "EMPTYSPACE."
Furthermore, it was also found that the attackers experimented with different hosting methods, from GitHub and GitLab to Vimeo and Ars Technica, using regular site features to host obfuscated payloads without raising suspicion.
Trusting Reputable Platforms for Enhanced Resilience
Hosting payloads on trusted platforms provides UNC4990 with a tactical advantage. These platforms are often trusted by security systems, minimizing the likelihood of being flagged as suspicious. Additionally, leveraging content delivery networks and resilience to takedowns add more sophistication to the threat actor's strategy.
Stealthy Operations and Lucrative Returns
UNC4990's ultimate payload, "QUIETBOARD," is a sophisticated, multi-component backdoor introducing a range of capabilities. From executing commands and Python code to altering clipboards for cryptocurrency theft and gathering detailed system information, QUIETBOARD has proven to be a powerful tool. The associated wallet addresses linked to this campaign have amassed profits exceeding $55,000.
UNC4990's Experimental Approach
Mandiant notes UNC4990's penchant for experimentation, continuously refining attack methodologies and seeking optimal pathways for its attack chain. Despite conventional prevention measures, the threat of USB-based malware remains significant, underscoring the adaptability and persistence of cyber threats.
In summary, UNC4990's exploitation of legitimate sites to conceal malicious payloads challenges the traditional security of news sites.
Cybersecurity measures continue to improve, but cyber incidents still need to be solved. As the experts roll out more effective methods to curb them, hackers are getting smarter to bypass their methods.
Meanwhile, hackers used group chats in Microsoft Teams to infect the systems through the DarkGate malware. Their campaign easily deceived users into downloading the malicious file with a seemingly suspicious name. From here, the malware begins to access the networks.
For more news and updates about cyberattacks, just click here.
Read Also: Telegram's Role in 'Democratization' of Cybercrime Unveiled by Guardio Labs
