A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector.
Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker UNC4191. An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021.
"UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman said.
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
"However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines."
The reliance on infected USB drives to propagate the malware is unusual if not new. The Raspberry Robin worm, which has evolved into an initial access service for follow-on attacks, is known to use USB drives as an entry point.
The threat intelligence and incident response firm said that the attacks led to the deployment of three new malware families dubbed MISTCLOAK, DARKDEW, and BLUEHAZE, alongside Ncat, the latter of which is a command-line networking utility that's used to create a reverse shell on the victim system.
MISTCLOAK, for its part, gets activated when a user plugs in a compromised removable device to a system, acting as a launchpad for an encrypted payload called DARKDEW that's capable of infecting removable drives, effectively proliferating the infections.
"The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems," the researchers explained.
The DARKDEW dropper further serves to launch another executable ("DateCheck.exe"), a renamed version of a legitimate, signed application known as "Razer Chromium Render Process" that invokes the BLUEHAZE malware.
BLUEHAZE, a launcher written in C/C++, takes the attack chain forward by starting a copy of Ncat to create a reverse shell to a hardcoded command-and-control (C2) address.
"We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China's political and commercial interests," the researchers said.