Did you think that devices without any connection to a local or other network (air-gapped devices) are safe? Think again! The recently unveiled USBCulprit malware is used by a group known as Cycldek, Conimes or Goblin Panda and is designed to compromise devices that are not connected to a local or other network via USB.
Cycldek is a Chinese APT group that has targeted Southeast Asian countries for a long time to steal government information and state secrets.
The APT group has expressed interest in "major organizations and government institutions in Vietnam," a new report on Kaspersky's USBCulprit malware said.
For example, in 2013, security company CrowdStrike reported that the group hacked "defense, energy and government sectors" in conflicting territories in Southeast Asia. At the time, the team had used exploits CVE-2012-0158 to spread malware through malicious documents. Microsoft Word.
In the years following the incident, the group continued to expand its arsenal, using RTF documents with political content to develop remote access Trojans (RAT).
What Kaspersky has revealed this week is a specially designed hidden tool called "USBCulprit", which has evolved possibilities, especially when used on a system not connected to a local or other network.
It enters the system through RTF documents or other unknown media, performs extensive scanning of the victim's system and begins to import "documents".
“This tool, which we've seen downloaded from RedCore implants on several occasions, is able to scan various paths on Appliances of victims, to collect documents with specific extensions and transfer them to USB units when connected to system. It can also make a selective copy to a removable drive unit in the presence of a specific one file, which suggests that it could spread laterally, having infected certain drive units, ”Kaspersky explains.
RedCore and BlueCore are terms used by Kaspersky to describe the two different styles (variations) of malware developed by the team.
Her report Kaspersky shows a complete diagram of how the RedCore and BlueCore variants activate and share information in the form of a well-coordinated "complex".
Both of these variants have been attributed to the Cycldek team.
"Furthermore, given both the differences and the similarities, we can conclude that the activities we saw are linked to a group we call Cycldek. In several cases, we have identified unique tools created by the team that were obtained from the servers of both groups… Overall, this suggests that the entities operating behind all this share many resources - both code and infrastructure - and operate under a single organizational umbrella. “