Executive summary

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.

The malware gained access to the healthcare institution systems through an infected USB drive. During the investigation, the Check Point Research (CPR) team discovered newer versions of the malware with similar capabilities to self-propagate through USB drives. In this way, malware infections originating in Southeast Asia spread uncontrollably to different networks around the globe, even if those networks are not the threat actors’ primary targets.

The main payload variant, called WispRider, has undergone significant revisions. In addition to backdoor capabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes additional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia. The malware also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies (Electronic Arts and Riot Games). Check Point Research responsibly notified these companies on the above-mentioned use of their software by the attackers.

The findings in this report, along with corroborating evidence from other industry reports, confirm that Chinese threat actors, including Camaro Dragon, continue to effectively leverage USB devices as an infection vector.

The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns. We found evidence of USB malware infections at least in the following countries: Myanmar, South Korea, Great Britain, India and Russia.

  • 🇺🇦 seirim @lemmy.proOPM
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    1 year ago

    for more info at The Register: https://www.theregister.com/2023/06/23/camaro_dragon_usb_malware_spreads/

    Malware intended to spread on USB drives is unintentionally infecting networked storage devices, according to infosec vendor Checkpoint.

    The software nasty comes from a group called Camaro Dragon that Checkpoint’s researchers on Thursday suggested conduct campaigns similar to those run by China’s Mustang Panda and LuminousMoth attack gangs.

    Checkpoint regards Camaro Dragon as most interested in Asian targets – its code includes features designed to hide it from SmadAV, an antivirus solution popular in the region.

    Even so, the firm first spotted the gang’s activities in Europe!

    “Patient Zero in the malware infection was identified as an employee who had participated in a conference in Asia,” Checkpoint’s researchers wrote. "He shared his presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had an infected computer, so his own USB drive unknowingly became infected as a result.

    “Upon returning to his home hospital in Europe, the employee introduced the infected USB drive to the hospital’s computer systems, which led the infection to spread.”