Recently, Mandiant Managed Defense discovered cyber espionage activity that focuses on the Philippines and mainly uses USB drives as an initial infection vector. This operation, which Mandiant tracks as ‘UNC4191’, has a connection to China.
The report states that operations of UNC4191 have had an impact on a variety of public and private sector organizations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, but mainly focuses on the Philippines.
Malicious USB Devices to Deliver Multiple Malware
After becoming infected initially through USB devices, the threat actor used legally signed binaries to side-load malware, including three new families of viruses called MISTCLOAK, DARKDEW, and BLUEHAZE.
“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor”, reports Mandiant Managed Defense
Notably, the malware spreads itself by infecting new removable drives connected to a compromised system, enabling the malicious payloads to spread to adjacent systems and potentially gather data from air-gapped systems.
UNC4191 Malware Families
Mandiant identified UNC4191 deploy the following malware families: ‘MISTCLOAK’ is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.
‘BLUEHAZE’ is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).
‘NCAT’ is a command-line networking utility used for legitimate purposes; threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.
Final Word
This operation indicates Chinese attempts to gain and keep access to both public and private enterprises with the aim of gathering information relevant to China’s political and economic objectives.
Based on the findings and the number of compromised systems indicated by Mandiant, the primary target of this operation is the Philippines.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book