Cyber espionage group UNC4191 has been observed leveraging self-replicating malware spread via USB drives to infect entities in Southeast Asia, Asia-Pacific, Europe, and the US. According to security researchers at Mandiant, the technique allows the threat actor to steal data from air-gapped systems. Mandiant also found that the campaign has a focus on the Philippines. The threat actor has been identified to use malware families including the Bluehaze and Mistcloak launchers and the Darkdew dropper.
Additionally, the attackers have also used the NCAT command-line networking utility and a reverse shell to compromise devices through USB drives. These techniques allow the attacker to achieve backdoor access to the compromised system, Mandiant says. The malware is able to self-replicate by infecting new drives that exist on a compromised system. the initial infection begins when the user connects the infected drive to their machine, triggering the Mistcloak launcher. Mandiant believes that the campaign has been active since at least September 2021.
Read More: Self-Replicating Malware Used by Chinese Cyberspies Spreads via USB Drives