TetrisPhantom Hackers Exploit Secure USB Drives to Steal Data from Government Systems

A highly advanced cyber threat known as ‘TetrisPhantom’ has been utilizing compromised secure USB drives to target government computer systems in the Asia-Pacific area.

Secure USB drives are designed to securely store files in an encrypted section of the device and are used for the safe transfer of data between systems, even in air-gapped environments.

The attackers gain access to the protected partition by utilizing custom software that decrypts the contents using a user-provided password, with one example being UTetris.exe, which is found in an unencrypted portion of the USB drive.

Security experts have identified tampered versions of the UTetris application on secure USB devices as part of an ongoing attack campaign that has been active for several years, primarily focusing on governments in the Asia-Pacific region.

TetrisPhantom employs an array of tools, commands, and malicious components, indicating a highly sophisticated and well-equipped threat group. The attack involving the modified UTetris application begins by executing a payload named AcroShell on the target machine.

AcroShell establishes a communication channel with the attacker’s command and control (C2) server, enabling the retrieval and execution of additional payloads to steal sensitive documents and files, as well as to gather specific information about the USB drives used by the target.

The data collected in this manner is also utilized for the development of another malware strain called XMKR and the altered UTetris.exe. XMKR is capable of stealing files on the targeted device for espionage purposes, with the stolen data being written to the USB drives.

When the compromised USB drive is connected to an internet-connected computer infected with AcroShell, the exfiltration of information to the attacker’s server takes place. These attacks have persisted for a number of years, with TetrisPhantom primarily focused on espionage, as indicated by the limited number of infections observed on government networks, suggesting a targeted operation.

In conclusion, the attackers employ advanced techniques, such as AcroShell and XMKR, to exfiltrate data and carry out espionage operations, all while maintaining a low profile with a limited number of infections. This situation underscores the pressing need for enhanced cybersecurity measures and vigilance to protect sensitive government information from such highly skilled threat actors.

To prevent future attacks of this nature, it is imperative that governments and organizations in the Asia-Pacific region and beyond take several steps to bolster their cybersecurity posture. Some action to prevent it is by regularly update and patch their systems and software to eliminate vulnerabilities that can be exploited. Additionally, educating employees about the risks of using external USB drives and promoting the secure transfer of data through alternative means can help mitigate the threat.

Beside of that, continuous monitoring and threat intelligence sharing across governmental and industry sectors can aid in the early detection of attacks like TetrisPhantom’s, enabling a rapid response to mitigate damage and prevent further breaches. In today’s evolving cyber landscape, proactive cybersecurity measures are essential to safeguard national security and sensitive government data.