Recently, Mandiant Managed Defense discovered cyber espionage activity that focuses on the Philippines and mainly uses USB drives as an initial infection vector. This operation, which Mandiant tracks as ‘UNC4191’, has a connection to China.
The report states that operations of UNC4191 have had an impact on a variety of public and private sector organizations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, but mainly focuses on the Philippines.
After becoming infected initially through USB devices, the threat actor used legally signed binaries to side-load malware, including three new families of viruses called MISTCLOAK, DARKDEW, and BLUEHAZE.
“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor”, reports Mandiant Managed Defense
Notably, the malware spreads itself by infecting new removable drives connected to a compromised system, enabling the malicious payloads to spread to adjacent systems and potentially gather data from air-gapped systems.
Mandiant identified UNC4191 deploy the following malware families: ‘MISTCLOAK’ is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.
‘BLUEHAZE’ is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).
‘NCAT’ is a command-line networking utility used for legitimate purposes; threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.
This operation indicates Chinese attempts to gain and keep access to both public and private enterprises with the aim of gathering information relevant to China’s political and economic objectives.
Based on the findings and the number of compromised systems indicated by Mandiant, the primary target of this operation is the Philippines.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book
LegionLoader, a C/C++ downloader malware, first seen in 2019, delivers payloads like malicious Chrome extensions,…
In a recent security advisory, ASUS has alerted users to critical vulnerabilities affecting several of…
NTT Docomo, one of Japan’s leading telecommunications and IT service providers, experienced a massive disruption…
Apple Inc. has agreed to pay $95 million to settle a proposed class-action lawsuit alleging…
A critical vulnerability discovered in the popular macOS terminal emulator iTerm2 has raised concerns among…
The CVE-2024-49112 vulnerability in Windows LDAP allows remote code execution on unpatched Domain Controllers, as…