October 22, 2023 at 01:42PM
The TetrisPhantom threat is using compromised secure USB drives to target government systems in the Asia-Pacific region. The attack involves trojanized versions of the UTetris application, which is bundled on unencrypted parts of the USB drives. The attackers use sophisticated tools and techniques, including virtualization-based software obfuscation and self-replicating through connected USB drives. The malware steals documents and sensitive files, collects information about the USB drives, and exfiltrates the data to the attacker’s server. The attacks have been ongoing for a few years and focus on espionage in government networks.
Key Takeaways from the Meeting Notes:
1. A new threat group known as TetrisPhantom is targeting government systems in the Asia-Pacific region using compromised secure USB drives.
2. The secure USB drives have an encrypted partition and are used to transfer data between systems, including air-gapped environments.
3. The threat actors use custom software, including UTetris.exe, to decrypt the protected partition and gain access to the encrypted files.
4. Trojanized versions of UTetris.exe have been found on secure USB devices in an attack campaign that has been running for a few years.
5. TetrisPhantom employs sophisticated tools, commands, and malware components, indicating a well-resourced threat group.
6. The attack starts with executing a payload called AcroShell, which establishes communication with the attacker’s command and control server.
7. AcroShell can fetch and run additional payloads, steal documents and sensitive files, and collect details about the USB drives used by the target.
8. The threat actors use the gathered information to develop another malware called XMKR and trojanized versions of UTetris.exe.
9. XMKR is responsible for compromising secure USB drives connected to the system and spreading the attack to potentially air-gapped systems.
10. XMKR steals files for espionage purposes and writes the data on the compromised USB drives.
11. The compromised USB drives exfiltrate the information to the attacker’s server when plugged into an internet-connected computer infected with AcroShell.
12. Kaspersky has analyzed two versions of the malicious UTetris executable, indicating that these attacks have been ongoing for at least a few years.
13. TetrisPhantom’s primary focus is espionage, and the researchers have observed a small number of infections on government networks, suggesting a targeted operation.