According to Checkpoint, a malware strain designed to propagate through USB drives is also affecting networked storage devices. The malware originates from a group known as Camaro Dragon, which the researchers have indicated carries out campaigns resembling those conducted by China's Mustang Panda and LuminousMoth.
Diving into details
In early 2023, an investigation into an incident at a European hospital indicated that the malicious activities observed were likely unintended consequences rather than a targeted attack.
- The cause of the infection has been attributed to the self-propagating malware spread via USB drives by the Camaro Dragon group.
- Checkpoint identified several updated versions of the malware toolset, including WispRider and HopperTick, which exhibited similar capabilities for spreading via USB drives, leading to the uncontrolled proliferation of the malware.
- These tools were found to be associated with other tools used by the same threat actor, such as the Go-based backdoor called TinyNote and a malicious router firmware implant known as HorseShell.
- Notably, all these tools shared infrastructure and demonstrated similar operational objectives, providing further evidence of the threat actor's activities.
How does the infection happen?
The infection process begins when a victim executes a malicious Delphi launcher found on an infected USB flash drive.
- This action activates a backdoor, which subsequently installs malware onto other drives when they are connected to the compromised machine.
- The malware presents higher risks for enterprise IT environments because infected machines proceed to install malware on newly connected network drives, while drives already connected to the machine at the time of infection are not affected.
- The malware, further, performs DLL sideloading, which involves utilizing components from security software such as G-DATA Total Security, as well as components from Electronic Arts and Riot Games.
The bottom line
The Camaro Dragon APT group continues to utilize USB devices as a means of infecting targeted systems. The attackers combine this approach with other well-established tactics, including DLL sideloading and evading detection from an antivirus solution. This propagation across multiple devices significantly amplifies the scope and potential impact of this threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/22f0_shutterstock_1902760141.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0fcd_shutterstock_1331092814.jpg)
