A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content.
The attackers hide these payloads in plain sight, placing them in forum user profiles on tech news sites or video descriptions on media hosting platforms.
These payloads pose no risks to users visiting these web pages, as they are simply text strings.
When integrated into the campaign's attack chain, they are pivotal in downloading and executing malware in attacks.
The attack begins with victims double-clicking a malicious LNK shortcut file on a USB drive.
It is not known how the malicious USB devices make it to targeted victims to start the attack chain.
Ps1, which in turn downloads an intermediary payload that decodes to a URL used to download and install the malware downloader named 'EMPTYSPACE.'.
These intermediary payloads are text strings that decode into a URL to download the next payload: EMPTYSPACE. UNC4990 has tried out several approaches to hosting intermediary payloads, initially using encoded text files on GitHub and GitLab and later switching to abusing Vimeo and Ars Technica for hosting Base64 encoded and AES-encrypted string payloads.
Mandiant notes that the attackers do not exploit a vulnerability in these sites but simply employ regular site features, like an About page in an Ars Technica forum profile or a Vimeo video description, to covertly host the obfuscated payload without raising suspicion.
These payloads do not directly threaten the visitors of the abused sites as they are just harmless text strings, and all cases documented by Mandiant have now been removed from the impacted intermediary platforms.
The advantage of hosting the payloads on legitimate and reputable platforms is that they are trusted by security systems, reducing the likelihood of them being flagged as suspicious.
Embedding the payloads within legitimate content and mixing it with high volumes of legitimate traffic makes it more difficult to pinpoint and remove the malicious code.
The PowerShell script decodes, decrypts, and executes the intermediate payload fetched from the legitimate sites and drops EMPTYSPACE on the infected system, which establishes communication with the campaign's command and control server.
In the subsequent phases of the attack, EMPTYSPACE downloads a backdoor named 'QUIETBOARD,' as well as crypto coin miners that mine Monero, Ethereum, Dogecoin, and Bitcoin.
Despite the seemingly straightforward prevention measures, USB-based malware continues to pose a significant threat and serve cybercriminals as an effective propagation medium.
As for the tactic of abusing legitimate sites to plant intermediate payloads, this shows that threats can lurk in unexpected, seemingly innocuous locations, challenging conventional security paradigms.
FBI disrupts Chinese botnet by wiping malware from infected routers.
Microsoft Teams phishing pushes DarkGate malware via group chats.
Police disrupt Grandoreiro banking malware operation, make arrests.
Russian TrickBot malware dev sentenced to 64 months in prison.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 31 Jan 2024 22:35:09 +0000