Cyber espionage activity relying on USB devices as an initial infection vector has been spotted targeting public and private entities in Southeast Asia and the Philippines in particular.
Cybersecurity experts at Mandiant shared their findings about the new campaigns on Monday, attributing them to a China-based threat actor they call UNC4191.
According to the technical write-up, UNC4191 operations have affected several entities in Southeast Asia but also in the US, Europe and Asia Pacific Japan.
“However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines,” Mandiant wrote.
In terms of attack strategy, following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families Mandiant named Mistcloak, Darkdew and Bluehaze.
The first of the three malware pieces is responsible for both side-loading a malicious file that impersonates a legitimate dynamic link library (DLL) and for launching an encrypted file. The second phase of the attack involves Darkdew, an encrypted DLL payload that can infect removable drives to enable self-propagation. Finally, Bluehaze executes to achieve system persistence.
“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor,” the security researchers explained.
“The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.”
Mandiant added that based on gathered data, the UNC4191 campaign potentially extends back to September 2021.
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests,” the company wrote.
“Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.”
The advisory comes months after threat actor Luckymouse was spotted using a trojanized version of the cross-platform messaging app MiMi to backdoor devices in the Philippines and Taiwan.