A financially motivated threat actor, UNC4990, has been utilizing USB devices for initial infections and leveraging reputable online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded malware payloads. This novel approach involves embedding malicious content in seemingly benign places such as forum user profiles on tech news sites or video descriptions on media hosting platforms.
Despite the payloads appearing as harmless text strings when viewed on these platforms, they play a crucial role in the attacker’s campaign, serving as a component in the attack chain for downloading and executing malware.
UNC4990, active since 2020 and primarily targeting users in Italy, initiates the attack when victims double-click a malicious LNK shortcut file on a USB drive. The launched shortcut executes a PowerShell script, explorer.ps1, leading to the download of an intermediary payload known as ‘EMPTYSPACE,’ responsible for decoding a URL used to download and install malware.
Notably, UNC4990 has experimented with various methods for hosting intermediary payloads, initially using encoded text files on GitHub and GitLab and later turning to platforms like Vimeo and Ars Technica. These platforms are exploited to host Base64 encoded and AES-encrypted string payloads within regular site features, such as an About page in an Ars Technica forum profile or a Vimeo video description.
The researcher emphasizes that the attackers do not exploit vulnerabilities on these platforms but leverage standard features to covertly host obfuscated payloads without arousing suspicion. While these payloads pose no direct threat to site visitors, they play a crucial role in the attacker’s broader scheme.
The advantage of using legitimate platforms lies in the trust they garner from security systems, making it less likely for the payloads to be flagged as suspicious. Additionally, threat actors benefit from the robust content delivery networks and resilience to takedowns provided by these platforms.
By embedding malicious payloads within legitimate content and blending them with high volumes of legitimate traffic, the attackers make it challenging to pinpoint and remove the malicious code. Even in cases where the code is removed, the attackers can easily reintroduce it on a different platform supporting publicly viewable comments or profiles.
The PowerShell script ultimately executes the intermediary payload fetched from these legitimate sites, dropping ‘EMPTYSPACE’ on the infected system. This establishes communication with the command and control (C2) server, initiating subsequent phases of the attack where ‘QUIETBOARD’ backdoor and crypto coin miners (Monero, Ethereum, Dogecoin, and Bitcoin) are downloaded.
The financial motive behind this campaign is evident, with wallet addresses associated with UNC4990’s activities having made a profit exceeding $55,000 (excluding Monero, which remains hidden).
Despite the seemingly straightforward prevention measures, the persistence of USB-based malware poses a significant threat, serving as an effective propagation medium for cybercriminals. The tactic of abusing legitimate sites for payload delivery underscores the need for heightened vigilance in unexpected, seemingly innocuous online locations, challenging conventional security paradigms.
Protecting against USB-based malware threats involves a multi-faceted approach. Users should exercise caution when handling USB devices, avoiding the indiscriminate use of unknown drives. Implementing robust endpoint security solutions with updated antivirus software can help detect and prevent malicious activities. Additionally, security teams should continuously monitor network traffic for anomalous patterns and behavior indicative of malware propagation, enhancing overall resilience against evolving cyber threats.