USB Drives Spread Spyware as China's Mustang Panda APT Goes Global
Camaro Dragon (Mustang Panda) is spreading a malware variant of WispRider quickly across the globe even through air gaps, often unbeknownst to users.
June 22, 2023
Espionage malware that spreads by self-propagating through infected USB drives is back, surfacing recently in an incident at a European healthcare institution, researchers have found.
Researchers at Check Point Research discovered the backdoor, which they've dubbed WispRider. The campaign is the work of the Chinese-state-sponsored APT that Check Point tracks as "Camaro Dragon," but which is probably better known as Mustang Panda (aka Luminous Moth and Bronze President).
Check Point first discovered the malware when an employee who had participated in a conference held in Asia came home with an infected USB drive, researchers revealed in a blog post published June 22. Apparently, the employee — dubbed "Patient Zero" by the researchers — had shared his presentation with fellow attendees using his USB drive, and one of his colleagues there passed on the infection from his computer, they said.
"Consequently, upon returning to the healthcare institution in Europe, the employee inadvertently introduced the infected USB drive, which led to spread of the infection to the hospital's computer systems," Check Point researchers wrote in the report.
The incident shows how the APT, which previously primarily focused its cyber espionage activities on organizations in Southeast Asia, is now extending its reach globally, they said. Indeed, despite China's tacit support for Russia's war against Ukraine, Mustang Panda already was seen last year mounting a cyberespionage campaign against the Russian military.
The research also highlights the "alarming" role USB drives play in spreading malware quickly and often unbeknownst to users — even across air-gapped systems. "These malicious programs possess the ability to self-propagate through USB drives, making them potent carriers of infection, even beyond their intended targets," Check Point researchers wrote in the post.