Mandiant Managed Defense, a managed detection and response (MDR) subscription service that provides monitoring services to customers, has discovered ongoing cyber espionage where USB devices are used to target victims in the Philippines. According to the report, the notorious China-nexus is behind the malware campaign.
The campaign’s goal remains to use side-loading malware to steal information from the victim’s devices— the three main malware in operation are TCLOAK, DARKDEW, and BLUEHAZE. The threat actor’s activity has been tracked as UNC4191 and has continuously affected public and private sector entities in Southeast Asia. The campaign has also spread to the U.S., Europe, and APJ region, while the Philippines stays the central target.
China-nexus hackers operating with USB malware
oh USB malware is still alive and well! Great work by @Mandiant on #China and a pretty unique campaign by UNC4191@heferyzan @_gackerman_@Big_Bad_W0lf_@tommysechttps://t.co/ZXbEPdRM2T pic.twitter.com/Zfjv0rpD0W
— Cris Brafman Kittner (@criskittner) November 28, 2022
In Q1, China-nexus became one of the most talked about threat groups hailing from China. The group allegedly hacked into the media giant News Corp and compromised several private data, including that of employees and journalists. Within the same timeframe, David Wong, Vice President of consulting at Mandiant, claimed that the “hackers behind the attack were believed to be a China nexus, and were running the espionage to collect confidential information to benefit China’s interest,” read a report by The Economic Times.
With this follow-up attack, China-nexus are technically gaining the same momentum but using a different approach to target victims in Asia. At the time of writing, their victims included corporations, individuals, and government entities in the Philippines. They are also slowly breaking into other parts of the world to run the same campaign to steal confidential information.
Technical analysis of China-nexus USB malware campaign
To further break down the exploit used by the threat actor, let’s see how China-nexus attacks and what the breach can do to a victim’s devices. Once the exploit has been planted, the breach initiates a change in the NCAT binary and is distributed to run a reverse shell on the victim’s system. This provides backdoor access to the threat actor, which can be used to side-load malware, replicate it, and ultimately allow it to spread throughout the system to fetch data.
The four main malware used in their operation come from the following families:
- MISTCLOAK: It is a launcher that executes a payload in the victim’s systems and is usually written in C++.
- BLUEHAZE: It is also a launcher written in C/C++ but works by executing a copy of NCAT to build a reverse shell to a hardcoded command and control (C2).
- DARKDEW: Contrary to the other two, DARKDEW is a dropper written in C++ and can be used to inject malware into USB drives.
- NCAT: NCAT is a command-line networking program designed for the Nmap Project that performs various security and management functions. While NCAT can be used for lawful reasons, threat actors may also use it to upload or download data, build backdoors or reverse shells, and tunnel traffic to circumvent network constraints.
Three stages of USB infection
The infection cycle goes through three phases, where the victim and threat actor’s involvement begins on MISTCLOAK. All three phases use three different malware at different points and are as follows:
The initial exchanges between the threat actor and the victims happen at this stage. Once the user plugs into a compromised removable device, it changes the initial binaries to side-load the MISTCLOAK malware that mimics a DLL file. The malware acts as a launcher for the usb.ini file to further exploit the victim’s system.
The second phases begin with the file usb.ini, which contains the DLL payload. Once launched, DARKDEW starts copying files and folders from the drive and launches DateCheck.exe before exiting.
At the last stage, BLUEHAZE, comes into action and gets called out by the getRoot function to load the malware file RzLog4CPP.dll. BLUEHAZE then creates a new directory and copies all the files to CNNUDTV. Once completed, it executes wuwebv.exe and creates a reverse shell to the hard-coded (C2) server address.