A group of hackers called ‘USBCulprit” is currently deploying a new malware strain that uses USBs and other portable storage devices to assist in stealing personal data, the security firm Kaspersky discovered.
According to Gov Info Security’s latest report, the custom-built malware which has been active since 2013, appears to have been developed by an advanced persistent threat (APT) group known as Cycldek.
The new malware mainly targets energy, defense, and government organization in parts of Southeast Asia, especially Vietnam. The USBCulprit malware can copy and exfiltrate data from the device to portable storage devices such as a USB flash drive.
“It is capable of copying itself to any newly connected removable storage,” said Mark Lechtik and Giampaolo Dedola, a security researcher at Kaspersky.
“That storage – typically a USB – would need to be physically connected to another machine and the malware in it manually executed to spread onward,” said the security researchers to the Security Media Group.
Although the attacks traced by Kaspersky were dated back to 2018, the security researchers claimed that the malware is still active. However, there has been no report stating how many organizations the group of hackers is targeting and no evidence has been shown that their malicious acts have resulted in actual data theft.
“We can only confirm that the group targeted diplomatic entities and government institutions located in Southeast Asian countries,” said Lechtik and Dedola.
The security researchers also noted that the new malware is only distinguished by its extension and not between stolen data files based on the content.
According to the report, the attacks by the new malware begin with politically-themed phishing emails, containing malicious documents in rich text format. This initial phase of the attack takes advantage of several Microsoft vulnerabilities, allowing the hacker to access an infected device.
After the device is infected, the new malware will deploy a remote access RAT, or Trojan, called NewCore. There are two variants of the NewCore RAT according to the security researchers: RedCore and BlueCore. Although the two variants are deployed against different targets and are overseen by separate hacking groups within the Cycldek organization, they still use the same infrastructure, behaving in similar ways.