Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

31.01.2024

 

A financially motivated threat actor identified as UNC4990 is employing weaponized USB devices as an initial means of infecting organizations in Italy, according to a report from Mandiant, a subsidiary of Google. The targeted sectors encompass health, transportation, construction, and logistics.

Mandiant’s report, released on Tuesday, outlines the typical UNC4990 modus operandi, which involves widespread USB infections followed by the deployment of the EMPTYSPACE downloader. Throughout these operations, UNC4990 relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages. These stages are downloaded and decoded via PowerShell early in the execution chain.

Active since late 2020, UNC4990 is believed to operate out of Italy, evident from its extensive use of Italian infrastructure for command-and-control (C2) purposes. The ultimate goal of UNC4990 remains unclear, although there is a documented instance where an open-source cryptocurrency miner was deployed after months of beaconing activity.

Fortgale and Yoroi previously documented details of the campaign in early December 2023, with Fortgale referring to the threat actor as Nebula Broker. The infection initiates when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, triggering the execution of a PowerShell script responsible for downloading EMPTYSPACE (also known as BrokerLoader or Vetta Loader) from a remote server via an intermediate PowerShell script hosted on Vimeo.

Yoroi has identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python. These variants act as conduits for fetching next-stage payloads over HTTP from the C2 server, including a backdoor named QUIETBOARD.

Other news

New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections – 02.01.2024

Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.

Read More

GitHub leak exposes Chinese offensive cyber operations

The leaked documents supposedly discuss spyware developed by I-Soon, a Chinese infosec company, that’s targeting social media platforms, telecommunications companies, and other organizations worldwide. Researchers suspect the operations are orchestrated by the Chinese government.

Read More
en_USEnglish