USBCulprit Malware Aims To Target Air-Gapped Systems
USBCulprit is an espionage tool forminng part of the NewCore malware that links back to Cycldek. The tool can work over USBs targeting air-gapped machines.
Admins managing air-gapped systems should now remain very careful as new malware is there to target them. Identified as USBCulprit, the malware aims at air-gapped systems as it relies on USB for data exfiltration.
Researchers from Kaspersky Labs have caught a new malware from an old established Chinese APT Cycldek.
Sharing the details in a blog post, researchers revealed that they detected a new malware from Cycldek, dubbed USBCulprit. This malware is so named because it depends on USB media to steal data. This property hints towards the malware’s ability to target air-gapped systems as well.
In brief, they analyzed a new malware, NewCore RAT malware that they found in recent attacks from the threat group. They could detect two variants of the malware, which they names BlueCore and RedCore, that formed two clusters of activity.
Yet, despite the differences in the functionalities, the C&C servers, and geographical focus, they possessed some similarities too. One of these similarities is the use of USBCulprit – a previously unreported espionage tool.
USBCulprit can scan paths in target devices, steal files with specified extensions, and move them to USB drives when connected. Besides, it is capable of lateral movement by self-replication on files stored in removable drives. These traits make it perfect to infect air-gapped machines.
As stated by the researchers,
The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data.
Malware Active In The Wild
Though USBCulprit remained unidentified until recently. However, this isn’t a new malware.
In fact, researchers suspect that the malware is in the wild since 2014. Whereas, it underwent some changes in 2019, one of which is the ability to execute specified files from a connected USB.
Regarding the geographical target, they elaborated that Cycldek has been targeting Southeast Asian regions for long. Even in the recent campaign of 2019 that caught Kaspersky’s attention, the two variants targeted different countries in the same region.
Precisely, the BlueCore aimed at Vietnam, Laos, and Thailand, whereas, the RedCore targeted Vietnam, later moving on to Laos and never to Thailand.
Researchers believe that the threat actors will continue to target the same region with the new malware too. This time, including the air-gapped systems as well in their targets.
Let us know your thoughts in the comments.