USB Drives Spread Spyware as China's Mustang Panda APT Goes Global

Espionage malware that spreads by self-propagating through infected USB drives is back, surfacing recently in an incident at a European healthcare institution, researchers have found.

Researchers at Check Point Research discovered the backdoor, which they've dubbed WispRider. The campaign is the work of the Chinese-state-sponsored APT that Check Point tracks as "Camaro Dragon," but which is probably better known as Mustang Panda (aka Luminous Moth and Bronze President).

Check Point first discovered the malware when an employee who had participated in a conference held in Asia came home with an infected USB drive, researchers revealed in a blog post published June 22. Apparently, the employee — dubbed "Patient Zero" by the researchers — had shared his presentation with fellow attendees using his USB drive, and one of his colleagues there passed on the infection from his computer, they said.

"Consequently, upon returning to the healthcare institution in Europe, the employee inadvertently introduced the infected USB drive, which led to spread of the infection to the hospital's computer systems," Check Point researchers wrote in the report.

The incident shows how the APT, which previously primarily focused its cyber espionage activities on organizations in Southeast Asia, is now extending its reach globally, they said. Indeed, despite China's tacit support for Russia's war against Ukraine, Mustang Panda already was seen last year mounting a cyberespionage campaign against the Russian military.

The research also highlights the "alarming" role USB drives play in spreading malware quickly and often unbeknownst to users — even across air-gapped systems. "These malicious programs possess the ability to self-propagate through USB drives, making them potent carriers of infection, even beyond their intended targets," Check Point researchers wrote in the post.

WispRider, an Evolving Malware Payload

The main payload of the campaign discovered by the researchers is called WispRider, which is a backdoor outlined in a report late last year by Avast — in which the toolset was called "SSE." It's since been fortified with additional features, Check Point researchers said.

For one, it propagates through USB drives using a launcher called HopperTick, and also includes a bypass for SmadAV, an antivirus solution popular in Southeast Asia. The malware also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies, Electronic Arts and Riot Games, the researchers said. Check Point notified the companies of the use of their components in the malware, they said.

WispRider and Hopper Tick align with other tools by wielded by Mustang Panda in terms of infrastructure and operational goals, allowing for their attribution to the Chinese APT, the researchers noted. Related malware also used by the threat actor include a Go-based backdoor called TinyNote, and a malicious router firmware implant named HorseShell.

The WispRider infection begins when a benign USB thumb drive is inserted into an infected computer, the researchers explained. The malware detects a new device inserted into the PC and manipulates its files, creating several hidden folders at the root of the thumb drive. It then copies into the thumb drive a Delphi loader with the name of the original thumb drive, and a USB thumb drive icon.

Interestingly, there is no special technique used in this USB infection flow to automatically run the Delphi launcher; instead, it relies on social engineering, the researchers explained.

"The victims can no longer see their files on the drive and are left only with the executable, which they will likely click to reveal their files — thereby setting off an infection flow of the machine," they wrote in the post.

WispRider acts as both an infector and backdoor, side loading as a DLL that includes both the USB infector component and the backdoor itself, the researchers said. It has execution flows to run both from an infected machine or to infect a machine if it hasn't already been infected, they explained.

The latter "is likely an alternative infection vector which delivers the malware to the targeted network when the actors cannot rely on the USB propagation, as they can’t physically access the machine to plug in an infected drive," researchers wrote.

Moreover, based on known tactics of Mustang Panda, the non-USB WispRider infections likely originate via "spear-phishing campaigns that deliver an archive with all the infection-related files and assure the legitimate executable runs with a relevant argument," they wrote.

Mitigating USB-Borne Cyber Threats

USB-propagated infections have been around for two decades, but are increasingly becoming a popular attack vector of APTs and other large cybercriminal groups because of how rapidly threat actors can spread various types of malware via this vector. It also allows them to sneak malware onto otherwise heavily secured networks via individual devices, the users of which may be unaware that they are carrying an infection.

Indeed, the FBI warned earlier this year of a USB cyberattack campaign in which threat group FIN7 was actually mailing thumb drives to US organizations with the explicit goal of delivering ransomware into their environments.

Due to the increasing nature and large surface area of these attacks, Check Point researchers made a number of recommendations to help organizations protect themselves against USB drive-based attacks: