Did you think that devices without any connection to a local or other network (air-gapped devices) are safe? Think again! The recently unveiled USBCulprit malware is used by a group known as Cycldek, Conimes or Goblin Panda and is designed to compromise devices that are not connected to a local or other network via USB.
Cycldek is a Chinese APT group that has targeted Southeast Asian countries for a long time to steal government information and state secrets.
The APT group has shown interest in "large organizations and government agencies in Vietnam," said a new report on Kaspersky's USBCulprit malware.
For example, in 2013, security company CrowdStrike reported that the group hacked "defense, energy and government sectors" in conflicting territories in Southeast Asia. At the time, the team had used exploits CVE-2012-0158 to spread malware through malicious documents. Microsoft Word.
In the years following the incident, the group continued to expand its arsenal, using RTF documents with political content to develop remote access Trojans (RAT).
What Kaspersky has revealed this week is a specially designed hidden tool called "USBCulprit", which has evolved possibilities, especially when used on a system not connected to a local or other network.
It enters the system via RTF documents or other unknown media, performs an extensive scan of the victim's system and begins importing "documents".
"This tool, which we have seen downloaded from RedCore implants on several occasions, is able to scan various paths in Appliances of victims, to collect documents with specific extensions and transfer them to USB units when connected to system. It can also make a selective copy to a removable drive unit in the presence of a specific one file", which suggests that it can spread laterally, infecting certain drive units," explains Kaspersky.
RedCore and BlueCore are terms used by Kaspersky to describe the two different styles (variations) of malware developed by the team.
Her report Kaspersky shows a complete diagram of how the two variants RedCore and BlueCore activate and share information, in the form of a well-coordinated "cluster".
Both of these variants have been attributed to the Cycldek team.
"Furthermore, taking into account both the differences and the similarities, we can conclude that the activities we saw are related to a group, which we call Cycldek. In several cases, we have identified unique tools created by the group that were downloaded by servers of both groups… Overall, this suggests that the entities behind all of these share many resources - both code and infrastructure - and operate under a single organizational umbrella. "