Scroll Top

Camaro Dragon hackers strike with USB-driven self-propagating malware

MicrosoftTeams-image

Camaro Dragon hackers strike with USB-driven self-propagating malware

In a recent discovery, the Chinese cyber espionage group known as Camaro Dragon has been found utilizing a new strain of self-propagating malware that spreads through compromised USB drives, according to research shared with The Hacker News by Check Point, a leading cybersecurity company.

Traditionally focused on Southeast Asian countries, Camaro Dragon’s global reach has now been exposed, shedding light on the significant role that USB drives play in the dissemination of malware.

Check Point’s investigation into a cyber incident at an unnamed European hospital earlier this year uncovered evidence of USB malware infections in multiple countries, including Myanmar, South Korea, Great Britain, India, and Russia.

The breach in the European hospital was not a direct targeted attack by Camaro Dragon but rather a result of an employee plugging an infected USB drive into a colleague’s computer during a conference in Asia. Unknowingly, the employee introduced the infected USB drive to the healthcare institution upon their return, resulting in the spread of the infection to the hospital’s computer systems.

Camaro Dragon, which shares tactical similarities with other activity clusters such as Mustang Panda and LuminousMoth, has recently been associated with the use of a Go-based backdoor called TinyNote and a malicious router firmware implant named HorseShell.

The current infection chain involves a Delphi launcher called HopperTick, propagated through USB drives, and a primary payload called WispRider. WispRider is responsible for infecting devices when they are connected to an infected computer via a benign USB thumb drive.

Once a USB drive is inserted into an infected computer, WispRider detects the new device and manipulates its files, creating hidden folders at the root of the thumb drive, as explained by Check Point researchers.

In addition to infecting the current host, WispRider communicates with a remote server, compromises newly connected USB devices, executes arbitrary commands, and performs file operations.

Certain variants of WispRider also function as a backdoor, capable of bypassing the Indonesian antivirus solution called Smadav and using DLL side-loading techniques with components from security software like G-DATA Total Security.

Another payload delivered alongside WispRider is a stealer module known as disk monitor (HPCustPartUI.dll), which stages files with predefined extensions for exfiltration, including docx, mp3, wav, m4a, wma, aac, cda, and mid.

This is not the first instance where Chinese threat actors have exploited USB devices as an infection vector to target environments beyond their primary interests. In November 2022, Mandiant, a subsidiary of Google, attributed UNC4191, a threat actor suspected to have ties to China, to espionage attacks in the Philippines, resulting in the distribution of malware such as MISTCLOAK, DARKDEW, and BLUEHAZE.

A subsequent report by Trend Micro in March 2023 revealed overlaps between UNC4191 and Mustang Panda, linking the latter to the use of MISTCLOAK and BLUEHAZE in spear-phishing campaigns targeting Southeast Asian countries.

These developments indicate that threat actors are actively adapting their tools, tactics, and procedures to evade security solutions, relying on a diverse arsenal of custom tools to exfiltrate sensitive data from victim networks.

“The Camaro Dragon APT group continues to employ USB devices as a method for infecting targeted systems, effectively combining this technique with other established tactics,” noted the researchers.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.