By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. The APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. "One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data," Kaspersky said. "This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose." First observed by CrowdStrike in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. Kaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore — namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. "Each cluster of activity had a different geographical focus," the researchers said. "The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018." Both BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. What's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. A telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. The initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called DLL search order hijacking before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. Visit OUR FORUM to learn more.