USB Malware Chained with Text Strings on Legitimate Websites Attacks Users

Despite the evolution of several tools and ways, threat actors serene toddle along with the worn system to attack victims for malicious functions. One such threat actor is UNC4990, which makes use of USB devices to milk victims. UNC4990 is a financially motivated threat actor and has been conducting campaigns since 2020.

There used to be a valid evolution of this threat actor’s actions. With that being said, doubtlessly the most unusual ways fervent the usage of normal and legit internet sites such as GitHub, GitLab, Ars Technica and Vimeo.

As well to, the threat actor has been utilizing EMPTYSPACE downloader and QUIETBOARD backdoor. EMPTYSPACE is in a position to executing any payload served from the negate and regulate servers, and QUIETBOARD is additionally delivered utilizing EMPTYSPACE.

USB Malware Chained with Text Strings

Initial Vector

Consistent with the experiences shared with Cyber Security News, the threat actor begins the infection chain by delivering the USB drives to the victims whatsoever of social engineering. Once the sufferer connects the USB to their utility, the USB removable utility is shown with a shortcut (.LNK extension) under the provider establish.

When the victims originate this malicious LNK shortcut file, it executes a PowerShell script (explorer.ps1), which comprises the next negate.

“C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle has hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1”

The explorer.ps1 is an encoded PowerShell script that tests for explicit conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader.

Timeline

From the muse of 2023, the threat actor changed GitHub with Vimeo, a video-sharing websites. A video used to be added to Vimeo wherein the description had the laborious-coded payload. Alternatively, this video used to be removed now. Additionally, the Vimeo URL used to be additionally embedded throughout the explorer.ps1 script.

In mid of December 2023, it used to be realized that the threat actor had been utilizing Ars Technica by utilizing a image embedded with the payload. As a backup, the threat actor had additionally updated the EMPTY SPACE serving URL, which had an extra string.

Furthermore, there were several variations of EMPTYSPACE loader feeble by the threat actor, such because the Node JS version, .NET version, and Python version alongside QUIETBOARD.

This Python-based completely backdoor can reach arbitrary code, cryptocurrency theft, USB pressure infection, screenshotting, knowledge gathering, and C2 communications.

Indicators of Compromise

Host-based completely IOCs

Network-Primarily based completely IOCs

URL

• hxxps://bobsmith.apiworld[.]cf/license.php
• hxxps://arstechnica[.]com/civis/contributors/frncbf22.1062014/about/
• hxxps://evinfeoptasw.dedyn[.]io/updater.php
• hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1
• hxxps://eldi8.github[.]io/src.txt
• hxxps://evh001.gitlab[.]io/src.txt
• hxxps://vimeo[.]com/api/v2/video/804838895.json
• hxxps[://]huge[.]ga/wp-admin[.]php
• hxxp[://]studiofotografico35mm[.]altervista[.]org/updater[.]php
• hxxp[://]ncnskjhrbefwifjhww[.]tk/updater[.]php
• hxxp[://]geraldonsboutique[.]altervista[.]org/updater[.]php
• hxxps[://]wjecpujpanmwm[.]tk/updater[.]php
• hxxps[://]captcha[.]grouphelp[.]high/updater[.]php
• hxxps[://]captcha[.]tgbot[.]it/updater[.]php
• hxxps://luke.compeyson.eu[.]org/runservice/api/public.php
• hxxps[://]luke[.]compeyson[.]eu[.]org/wp-admin[.]php
• hxxps://luke.compeyson.eu[.]org/runservice/api/public_result.php
• hxxps://eu1.microtunnel[.]it/c0s1ta/index.php
• hxxps[://]davebeerblog[.]eu[.]org/wp-admin[.]php
• hxxps://lucaespo.altervista[.]org/updater.php
• hxxps://lucaesposito.herokuapp[.]com/c0s1ta/index.php
• hxxps://euserv3.herokuapp[.]com/c0s1ta/index.php