Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/3/2020
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Kaspersky IDs Sophisticated New Malware Targeted at Air-Gapped Systems

'USBCulprit' is one of several tools that suggest previously known Cycldek group is more dangerous than previous assumed, security vendor says.

A likely China-based threat actor called Cycldek, which security researchers have previously dismissed as a somewhat marginal group with relatively unsophisticated capabilities, may be considerably more dangerous than previously thought.

That's security vendor Kaspersky's analysis after a new examination of the threat group's malware toolset and operations. In a report this week, Kaspersky researchers describe finding numerous nuggets of, until now, unknown information suggesting that Cycldek operators have an extensive foothold in the networks of several high-profile targets in Vietnam, Laos, and Thailand. Since at least 2018, the group (aka Goblin Panda and Conimes) has been using a variety of new tools, tactics, and procedures in attacks against government agencies in these countries, Kasperksy says.

Among the new tools is one called USBCulprit, which appears designed for use in air-gapped environments where systems are not directly accessible from an external network. According to Kasperksy, its analysis shows the malware is a capable of stealing targeted data from an infected system and passing it on to connected USB drives. The malware is programmed to copy itself selectively to certain USB drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into one.

Mark Lechtik, senior security researcher at Kaspersky, says USBCulprit has no capability of communicating over the network and can only pass any information it has stolen to physical media. The fact that it profiles the network connectivity of the infected system and copies this information along with stolen documents to removable drives suggests it was mostly designed to target air-gapped machines, he says.

"To deploy USBCulprit on an air-gapped system, the USB would have to be physically connected to it and an operator would have to manually launch the malware's executable, either on purpose or by mistake," Lechtik notes. The US-led Stuxnet cyberattack that physically destroyed numerous centrifuges at Iran's Natanz uranium enrichment plant in 2012 is believed to have begun this way, with someone inserting a weaponized USB into a critical system at the facility.

What is not clear, however, is the tactic that Cycldek operators are using to exfiltrate data from USBs. It's quite possible that copying data to the USBs is the end game and the attackers are manually collecting the drives later.  

Data Exfiltration
But somewhat puzzlingly, Kasperksy's analysis shows that USBCulprit is also able to dump stolen data from a connected USB drive to a local disk on systems that contain a special marker file named "1.txt" in a specific path, Lechtik says. This is true regardless of whether the system is connected to the network.  

"We know that systems that were previously marked with the special '1.txt' file [are] theoretically capable of exfiltrating the data somehow," he says.

Kaspersky has been unable to find any evidence of how these specially marked systems then exfiltrate the stolen data.

"We can assume that it is either being done by another piece of malware that we don't have visibility on or that the USBs were picked up by a human handler after data was copied to them, avoiding the need to issue it over the network," Lechtik says.

What's also not clear is the specific data Cycldek operators are going after with USBCulprit. The malware collects documents based on file extensions and where the documents are located on the system — for example, Desktop, Recent Document, and other directories. The malware doesn't appear to be distinguishing files based on actual content, so there is no way of identifying the nature of documents that Cyclkdek might be fetching from air-gapped systems in government organizations.

The operators of Cycldek appear to have been using USBCulprit at least since 2014 and modifying it ever since. The latest version contains a feature that suggests the malware's functionality can be extended with new modules as needed.

Kasperksy researchers observed the malware being used by what appears to be two separate groups under the Cycldek umbrella. Available data suggests a certain level of cooperation and shared tools between the two entities. But the infrastructure being used and the behaviors on infected systems by each of them are different, Kaspersky says.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...