Despite the evolution of several tools and tactics, threat actors still go with the traditional approach to attack victims for malicious purposes. One such threat actor is UNC4990, which uses USB devices to exploit victims. UNC4990 is a financially motivated threat actor and has been conducting campaigns since 2020.
There has been a continuous evolution of this threat actor’s activities. With that being said, the recent tactics involved the use of popular and legitimate websites such as GitHub, GitLab, Ars Technica and Vimeo.
In addition, the threat actor has been using EMPTYSPACE downloader and QUIETBOARD backdoor. EMPTYSPACE is capable of executing any payload served from the command and control servers, and QUIETBOARD is also delivered using EMPTYSPACE.
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
USB Malware Chained with Text Strings
Initial Vector
According to the reports shared with Cyber Security News, the threat actor begins the infection chain by delivering the USB drives to the victims by any means of social engineering. Once the victim connects the USB to their device, the USB removable device is shown with a shortcut (.LNK extension) under the vendor name.
When the victims open this malicious LNK shortcut file, it executes a PowerShell script (explorer.ps1), which contains the following command.
“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle has hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1”
The explorer.ps1 is an encoded PowerShell script that checks for specific conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader.
Timeline
From the beginning of 2023, the threat actor replaced GitHub with Vimeo, a video-sharing website. A video was added to Vimeo in which the description had the hard-coded payload. However, this video was removed now. Additionally, the Vimeo URL was also embedded inside the explorer.ps1 script.
In mid of December 2023, it was discovered that the threat actor had been using Ars Technica by using an image embedded with the payload. As a backup, the threat actor had also updated the EMPTY SPACE serving URL, which had an additional string.
Furthermore, there have been several versions of EMPTYSPACE loader used by the threat actor, such as the Node JS version, .NET version, and Python version alongside QUIETBOARD.
This Python-based backdoor can execute arbitrary code, cryptocurrency theft, USB drive infection, screenshotting, information gathering, and C2 communications.
Indicators of Compromise
Host-based IOCs
| IOC | SHA-256 | Associated Malware Family |
| explorer.ps1 | 72f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084be | PowerShell Script |
| 98594dfae6031c9bdf62a4fe2e2d2821730115d46fca61da9a6cc225c6c4a750 | ||
| d09d1a299c000de6b7986078518fa0defa3278e318c7f69449c02f177d3228f0 | ||
| 7c793cc33721bae13e200f24e8d9f51251dd017eb799d0172fd647acab039027 | ||
| 6fb4945bb73ac3f447fb7af6bd2937395a067a6e0c0900886095436114a17443 | ||
| %TEMP%\Runtime Broker.exe | a4f20b60a50345ddf3ac71b6e8c5ebcb9d069721b0b0edc822ed2e7569a0bb40 | EMPTYSPACE Downloader (Node.JS Variant) |
| Runtime Broker.exe | 8a492973b12f84f49c52216d8c29755597f0b92a02311286b1f75ef5c265c30d | EMPTYSPACE Downloader (.NET Variant) |
| C:\Program Files (x86)\WinSoft Update Service\bootstrap.pyc | V1: 060882f97ace7cb6238e714fd48b3448939699e9f085418af351c42b401a1227 | EMPTYSPACE Downloader (Python Variant) |
| V2: 8c25b73245ada24d2002936ea0f3bcc296fdcc9071770d81800a2e76bfca3617 | ||
| V3: b9ffba378d4165f003f41a619692a8898aed2e819347b25994f7a5e771045217 | ||
| V4: 84674ae8db63036d1178bb42fa5d1b506c96b3b22ce22a261054ef4d021d2c69 | ||
| C:\Program Files (x86)\WinSoft Update Service\program.pyz | 15d977dae1726c2944b0b4965980a92d8e8616da20e4d47d74120073cbc701b3 | QUIETBOARD Backdoor |
| 26d93501cb9d85b34f2e14d7d2f3c94501f0aaa518fed97ce2e8d9347990decf | ||
| 26e943db620c024b5e87462c147514c990f380a4861d3025cf8fc1d80a74059a | ||
| C:\windows\runtimebroker .exe | 71c9ce52da89c32ee018722683c3ffbc90e4a44c5fba2bd674d28b573fba1fdc | QUIETBOARD associated file |
| C:\Program Files (x86)\pyt37\python37.zip | 539a79f716cf359dceaa290398bc629010b6e02e47eaed2356074bffa072052f | QUIETBOARD associated file |
Network-Based IOCs
URL
- hxxps://bobsmith.apiworld[.]cf/license.php
- hxxps://arstechnica[.]com/civis/members/frncbf22.1062014/about/
- hxxps://evinfeoptasw.dedyn[.]io/updater.php
- hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1
- hxxps://eldi8.github[.]io/src.txt
- hxxps://evh001.gitlab[.]io/src.txt
- hxxps://vimeo[.]com/api/v2/video/804838895.json
- hxxps[://]monumental[.]ga/wp-admin[.]php
- hxxp[://]studiofotografico35mm[.]altervista[.]org/updater[.]php
- hxxp[://]ncnskjhrbefwifjhww[.]tk/updater[.]php
- hxxp[://]geraldonsboutique[.]altervista[.]org/updater[.]php
- hxxps[://]wjecpujpanmwm[.]tk/updater[.]php
- hxxps[://]captcha[.]grouphelp[.]top/updater[.]php
- hxxps[://]captcha[.]tgbot[.]it/updater[.]php
- hxxps://luke.compeyson.eu[.]org/runservice/api/public.php
- hxxps[://]luke[.]compeyson[.]eu[.]org/wp-admin[.]php
- hxxps://luke.compeyson.eu[.]org/runservice/api/public_result.php
- hxxps://eu1.microtunnel[.]it/c0s1ta/index.php
- hxxps[://]davebeerblog[.]eu[.]org/wp-admin[.]php
- hxxps://lucaespo.altervista[.]org/updater.php
- hxxps://lucaesposito.herokuapp[.]com/c0s1ta/index.php
- hxxps://euserv3.herokuapp[.]com/c0s1ta/index.php
.webp "Wiz Rejects Google’s $23 Billion Deal"){kind=small}
%20(1).webp "Cellebrite Tool Cracker Trump shooter’s Samsung Device in just 40 minutes"){kind=small}
