Recently, Mandiant Managed Defense discovered cyber espionage activity that focuses on the Philippines and mainly uses USB drives as an initial infection vector. This operation, which Mandiant tracks as ‘UNC4191’, has a connection to China.
The report states that operations of UNC4191 have had an impact on a variety of public and private sector organizations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, but mainly focuses on the Philippines.
After becoming infected initially through USB devices, the threat actor used legally signed binaries to side-load malware, including three new families of viruses called MISTCLOAK, DARKDEW, and BLUEHAZE.
“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor”, reports Mandiant Managed Defense
Notably, the malware spreads itself by infecting new removable drives connected to a compromised system, enabling the malicious payloads to spread to adjacent systems and potentially gather data from air-gapped systems.
Mandiant identified UNC4191 deploy the following malware families: ‘MISTCLOAK’ is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.
‘BLUEHAZE’ is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).
‘NCAT’ is a command-line networking utility used for legitimate purposes; threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.
This operation indicates Chinese attempts to gain and keep access to both public and private enterprises with the aim of gathering information relevant to China’s political and economic objectives.
Based on the findings and the number of compromised systems indicated by Mandiant, the primary target of this operation is the Philippines.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…