A recently discovered attack campaign likely run by threat actors in China has been targeting public and private organizations in the Philippines, Europe, and the United States for perhaps as long as a year using multi-stage malware that is capable of self-replicating and is designed to steal data.
The campaign may have been ongoing since September 2021 but researchers at Mandiant discovered it recently, and found that the threat actor is relying on the older technique of deploying USB drives with malware on them as the initial infection vector. The attack includes the use of legitimate tools as well as several new pieces of malware, one of which has the ability to self-replicate onto new drives.
“Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor,” an analysis by Mandiant researchers published Monday says.
“The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.”
Unlike some other malware campaigns that rely on infected USB drives, the malware in this campaign does not execute automatically when a victim inserts the drive into a computer. Rather, the victim has to manually execute one of two files on the drive, both of which are renamed versions of a legitimate application called USB Network Gate. Once the victim executes one of those binaries, it sideloads the MISTCLOAK malware, which disguises itself as a DLL.
MISTCLOAK is essentially a launcher, which reads a specific encrypted file named usb.ini, which houses the second-stage payload, DARKDEW. This payload can be executed from either a removable drive or a hard drive.
“The malware self-replicates by infecting new removable drives that are plugged into a compromised system."
“If executed from a removable drive, DARKDEW will launch explorer.exe via `explorer.exe “<drive>:\autorun.inf\Protection for Autorun”` where <drive> is a removable drive letter, such as “E”. DARKDEW will then check if either C:\ProgramData\udisk\disk_watch.exe or C:\ProgramData\udisk\DateCheck.exe exist and will create the directory C:\ProgramData\udisk if neither are found,” the Mandiant analysis says.
After that’s done, the malware will copy all of the files from specific directories and then copy the modified USB Network Gate binary to disk and create a registry key to establish persistence. It then installs a file called datecheck.exe, which is a renamed version of another legitimate app called Razer Chromium Render Process. The app loads a legitimate DLL that then calls a function from the BLUEHAZE malware component. BLUEHAZE then creates a registry key for persistence and creates a reverse shell to a C2 address that is hard coded.
Mandiant attributed the campaign to an uncategorized actor it calls UNC4191 and said that the actor is likely located in China and its actions are aligned with the Chinese government’s political and economic goals.
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant,” the researchers said.