USB Malware Chained with Text Strings on Legitimate Websites Attacks Users

Despite the evolution of several tools and tactics, threat actors still go with the traditional approach to attack victims for malicious purposes. One such threat actor is UNC4990, which uses USB devices to exploit victims. UNC4990 is a financially motivated threat actor and has been conducting campaigns since 2020.

There has been a continuous evolution of this threat actor’s activities. With that being said, the recent tactics involved the use of popular and legitimate websites such as GitHub, GitLab, Ars Technica and Vimeo. 

In addition, the threat actor has been using EMPTYSPACE downloader and QUIETBOARD backdoor. EMPTYSPACE is capable of executing any payload served from the command and control servers, and QUIETBOARD is also delivered using EMPTYSPACE.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

USB Malware Chained with Text Strings

Initial Vector

According to the reports shared with Cyber Security News, the threat actor begins the infection chain by delivering the USB drives to the victims by any means of social engineering. Once the victim connects the USB to their device, the USB removable device is shown with a shortcut (.LNK extension) under the vendor name.

Infection Chain | Source : Mandiant

When the victims open this malicious LNK shortcut file, it executes a PowerShell script (explorer.ps1), which contains the following command. 

“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle has hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1”

The explorer.ps1 is an encoded PowerShell script that checks for specific conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader. 

Timeline

From the beginning of 2023, the threat actor replaced GitHub with Vimeo, a video-sharing website. A video was added to Vimeo in which the description had the hard-coded payload. However, this video was removed now. Additionally, the Vimeo URL was also embedded inside the explorer.ps1 script.

In mid of December 2023, it was discovered that the threat actor had been using Ars Technica by using an image embedded with the payload. As a backup, the threat actor had also updated the EMPTY SPACE serving URL, which had an additional string.

Furthermore, there have been several versions of EMPTYSPACE loader used by the threat actor, such as the Node JS version, .NET version, and Python version alongside QUIETBOARD.

This Python-based backdoor can execute arbitrary code, cryptocurrency theft, USB drive infection, screenshotting, information gathering, and C2 communications.

Indicators of Compromise

Host-based IOCs

IOCSHA-256Associated Malware Family
explorer.ps172f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084bePowerShell Script
98594dfae6031c9bdf62a4fe2e2d2821730115d46fca61da9a6cc225c6c4a750
d09d1a299c000de6b7986078518fa0defa3278e318c7f69449c02f177d3228f0
7c793cc33721bae13e200f24e8d9f51251dd017eb799d0172fd647acab039027
6fb4945bb73ac3f447fb7af6bd2937395a067a6e0c0900886095436114a17443
%TEMP%\Runtime Broker.exea4f20b60a50345ddf3ac71b6e8c5ebcb9d069721b0b0edc822ed2e7569a0bb40EMPTYSPACE Downloader (Node.JS Variant)
Runtime Broker.exe8a492973b12f84f49c52216d8c29755597f0b92a02311286b1f75ef5c265c30dEMPTYSPACE Downloader (.NET Variant)
C:\Program Files (x86)\WinSoft Update Service\bootstrap.pycV1: 060882f97ace7cb6238e714fd48b3448939699e9f085418af351c42b401a1227EMPTYSPACE Downloader (Python Variant)
V2: 8c25b73245ada24d2002936ea0f3bcc296fdcc9071770d81800a2e76bfca3617
V3: b9ffba378d4165f003f41a619692a8898aed2e819347b25994f7a5e771045217
V4: 84674ae8db63036d1178bb42fa5d1b506c96b3b22ce22a261054ef4d021d2c69
C:\Program Files (x86)\WinSoft Update Service\program.pyz15d977dae1726c2944b0b4965980a92d8e8616da20e4d47d74120073cbc701b3QUIETBOARD Backdoor
26d93501cb9d85b34f2e14d7d2f3c94501f0aaa518fed97ce2e8d9347990decf
26e943db620c024b5e87462c147514c990f380a4861d3025cf8fc1d80a74059a
C:\windows\runtimebroker .exe71c9ce52da89c32ee018722683c3ffbc90e4a44c5fba2bd674d28b573fba1fdcQUIETBOARD associated file
C:\Program Files (x86)\pyt37\python37.zip539a79f716cf359dceaa290398bc629010b6e02e47eaed2356074bffa072052fQUIETBOARD associated file

Network-Based IOCs

URL

  • hxxps://bobsmith.apiworld[.]cf/license.php
  • hxxps://arstechnica[.]com/civis/members/frncbf22.1062014/about/
  • hxxps://evinfeoptasw.dedyn[.]io/updater.php
  • hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1
  • hxxps://eldi8.github[.]io/src.txt
  • hxxps://evh001.gitlab[.]io/src.txt
  • hxxps://vimeo[.]com/api/v2/video/804838895.json
  • hxxps[://]monumental[.]ga/wp-admin[.]php
  • hxxp[://]studiofotografico35mm[.]altervista[.]org/updater[.]php
  • hxxp[://]ncnskjhrbefwifjhww[.]tk/updater[.]php
  • hxxp[://]geraldonsboutique[.]altervista[.]org/updater[.]php
  • hxxps[://]wjecpujpanmwm[.]tk/updater[.]php
  • hxxps[://]captcha[.]grouphelp[.]top/updater[.]php
  • hxxps[://]captcha[.]tgbot[.]it/updater[.]php
  • hxxps://luke.compeyson.eu[.]org/runservice/api/public.php
  • hxxps[://]luke[.]compeyson[.]eu[.]org/wp-admin[.]php
  • hxxps://luke.compeyson.eu[.]org/runservice/api/public_result.php
  • hxxps://eu1.microtunnel[.]it/c0s1ta/index.php
  • hxxps[://]davebeerblog[.]eu[.]org/wp-admin[.]php
  • hxxps://lucaespo.altervista[.]org/updater.php
  • hxxps://lucaesposito.herokuapp[.]com/c0s1ta/index.php
  • hxxps://euserv3.herokuapp[.]com/c0s1ta/index.php
Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.