January 31, 2024 at 05:37PM
A financially motivated threat actor utilizes USB devices to infect and abuse online platforms such as GitHub, Vimeo, and Ars Technica to host encoded malware. These encoded payloads act as essential components in downloading and executing malware. The attackers, tracked as UNC4990 by Mandiant, predominantly target users in Italy. This complex attack demonstrates the need for robust security measures against USB-based malware and the unexpected threat posed by seemingly benign online platforms.
Here’s a concise summary of the meeting notes:
– A financially motivated threat actor, identified as UNC4990 by Mandiant, has been targeting users predominantly in Italy since 2020. The attackers use USB devices for initial infections and host encoded payloads on legitimate online platforms such as GitHub, Vimeo, and Ars Technica. These payloads are placed in forum user profiles or video descriptions and, when integrated into the campaign’s attack chain, are pivotal in downloading and executing malware in attacks.
– The attackers have experimented with different approaches for hosting intermediary payloads, shifting from using encoded text files on GitHub and GitLab to abusing Vimeo and Ars Technica for hosting encrypted string payloads. They hide the payloads in plain sight, using regular site features without exploiting vulnerabilities to covertly host the obfuscated payloads.
– The PowerShell script launched by victims executes an intermediary payload that decodes to a URL used to download and install malware, including the backdoor named ‘QUIETBOARD’ and crypto coin miners. The wallet addresses linked to this campaign have made a profit surpassing $55,000, not accounting for hidden Monero.
– Mandiant notes that the attackers benefit from hosting payloads on reputable platforms, reducing the likelihood of them being flagged as suspicious and enjoying resilience to takedowns. The embedding of payloads within legitimate content and mixing it with high volumes of legitimate traffic makes it more difficult to pinpoint and remove the malicious code.
– Despite the seemingly straightforward prevention measures, USB-based malware continues to pose a significant threat and serve cybercriminals as an effective propagation medium. The tactic of abusing legitimate sites to plant intermediate payloads illustrates how threats can lurk in unexpected and seemingly innocuous locations, challenging conventional security paradigms.
Let me know if you need further clarification.