Home SECURITY Chinese hackers no longer attack computers directly – they infect them via USB drives

Chinese hackers no longer attack computers directly – they infect them via USB drives

0
Chinese hackers no longer attack computers directly – they infect them via USB drives

[ad_1]

Chinese hackers no longer attack computers directly – they infect them via USB drives

The new WispRider malware is capable of self-propagating on flash drives in Russia, India and other countries.

Security researchers check point discovered that the Chinese group Camaro Dragon (Mustang Panda) is using a new strain of malware that is distributed via compromised USB drives.

Check Point has detected infections in Myanmar, South Korea, the UK, India and Russia. The company said the infections are the result of a cyber incident that Check Point investigated at an unnamed European hospital in early 2023.

The investigation showed that the object was not directly attacked by hackers, but was hacked through an employee’s USB drive when the drive was connected to a colleague’s computer at a conference in Asia. Accordingly, upon returning to a medical facility in Europe, the employee inserted an infected USB drive, which led to the infection spreading to the hospital’s computer systems.

The chain of infection includes:

  • launcher HopperTick (written in Delphi), which is distributed via USB drives;
  • payload WispRiderwhich is responsible for infecting connected USB devices.

According to the Check Point report, when a USB drive is inserted into an infected computer, the malware detects it and manipulates the files on the drive, creating several hidden folders at the root of the USB drive. WispRider also establishes a connection with a remote C2 server.



Camaro Dragon infection chain

Some variants of WispRider function as a backdoor with the ability to bypass the Indonesian antivirus program “Smadav” and also perform sideloading DLL (DLL Sideloading) using components of the G-DATA Total Security software.

Another payload delivered with WispRider is the infostealer module, which places files with predefined extensions (such as docx, mp3, wav, m4a, wma, aac, cda, and mid) for exfiltration.

The development is a sign that attackers are actively changing their techniques, tactics and procedures (TTPs) to circumvent security solutions while relying on a vast array of custom tools to steal sensitive data from victims’ networks.

The Camaro Dragon (Mustang Panda) has previously garnered attention for its highly unusual way of hiding its activities. hackers used a special “Horse Shell” firmware implant that turned TP-Link routers into a network for exchanging commands with C2 servers.

In this way, the attackers masked their actions, using infected home routers as an intermediate infrastructure that allows them to communicate with infected computers through another node.

Formerly Check Point specialists linked Camaro Dragon to new TinyNote malware , which is used for intelligence gathering. The TinyNote backdoor is disguised as an office document and is likely targeted at Southeast and East Asian embassies

[ad_2]

Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here