The Chinese cyber espionage actor is known as Camaro Dragon has been observed taking advantage of a new type of self-spreading malware that spreads via compromised USB drives.
“While their main focus has traditionally been Southeast Asian countries, this latest discovery reveals their global reach and highlights the worrying role that USB drives play in spreading malware,” Check Point said in a new report. research shared with The Hacker News.
The cybersecurity firm, which found evidence of USB malware infection in Myanmar, South Korea, the UK, India and Russia, said the findings were the result of a cyber incident it investigated at an unnamed European hospital in early 2023.
The investigation found that the entity had not been targeted directly by adversaries but experienced the breach via an employee’s USB drive, which was infected when plugged into a colleague’s computer at a conference in Asia.
“As a result, while returning to a healthcare institution in Europe, the employee accidentally inserted an infected USB drive, which led to the spread of infection to the hospital’s computer system,” the company said.
The Camaro Dragon shares tactical similarities with activity-tracked clusters as Mustang Panda and LuminousMoth, with enemy crews recently connecting to a Go-based backdoor called TinyNote and a malicious router firmware implant called HorseShell.
The latest infection chain consists of a Delphi launcher known as HopperTick that is spread via USB drives and its main payload dubbed WispRider, which is responsible for infecting devices when attached to a machine.
“When a benign USB thumb drive is inserted into the infected computer, the malware detects the new device inserted into the PC and manipulates its files, creating several hidden folders in the root of the thumb drive,” Check Point researchers said.
WispRider, in addition to infecting the current host if it hasn’t already, is in charge of communicating with remote servers, compromising newly connected USB devices, executing arbitrary commands, and performing file operations.
Certain variants of WispRider also function as a backdoor with the ability to bypass the Indonesian antivirus solution called Smadav as well as side-load DLLs using components from security software such as G-DATA Total Security.
Another post-exploit payload that ships with WispRider is a stealth module called disk monitor (HPCustPartUI. dll) which sets up files with predefined extensions (i.e., docx, mp3, wav, m4a, wma, aac, cda, and mid) for stripping.
This is not the first time a Chinese threat actor has been seen leveraging USB devices as an infection vector to reach environments far outside the reach of a threat actor’s main interests.
In November 2022, Google-owned Mandiant linked UNC4191, a suspected Chinese threat actor, to a series of espionage attacks in the Philippines that led to the spread of malware such as MISTCLOAK, DARKDEW, and BLUEHAZE.
A subsequent report from Trend Micro in March 2023 revealed overlap between UNC4191 and Mustang Panda, attributing the latter to the use of MISTCLOAK and BLUEHAZE in spear-phishing campaigns targeting countries in Southeast Asia.
The development is a sign that threat actors are actively changing their tools, tactics and procedures (TTP) to bypass security solutions, while simultaneously relying on large sets of specialized tools to extract sensitive data from victims’ networks.
“The Camaro Dragon APT Group continues to use USB devices as a method for infecting targeted systems, effectively combining this technique with other established tactics,” the researchers said.