A
threat
actor
with
a
suspected
China
nexus
has
been
linked
to
a
set
of
espionage
attacks
in
the
Philippines
that
primarily
relies
on
USB
devices
as
an
initial
infection
vector.

Mandiant,
which
is
part
of
Google
Cloud,
is
tracking
the
cluster
under
its
uncategorized
moniker

UNC4191.
An
analysis
of
the
artifacts
used
in
the
intrusions
indicates
that
the
campaign
dates
as
far
back
as
September
2021.

“UNC4191
operations
have
affected
a
range
of
public
and
private
sector
entities
primarily
in
Southeast
Asia
and
extending
to
the
U.S.,
Europe,
and
APJ,”
researchers
Ryan
Tomcik,
John
Wolfram,
Tommy
Dacanay,
and
Geoff
Ackerman

said.

“However,
even
when
targeted
organizations
were
based
in
other
locations,
the
specific
systems
targeted
by
UNC4191
were
also
found
to
be
physically
located
in
the
Philippines.”

The
reliance
on
infected
USB
drives
to
propagate
the
malware
is
unusual
if

not
new.
The

Raspberry
Robin
worm,
which
has

evolved
into
an
initial
access
service
for
follow-on
attacks,
is
known
to
use
USB
drives
as
an
entry
point.

The
threat
intelligence
and
incident
response
firm
said
that
the
attacks
led
to
the
deployment
of
three
new
malware
families
dubbed
MISTCLOAK,
DARKDEW,
BLUEHAZE,
and

Ncat,
the
latter
of
which
is
a
command-line
networking
utility
that’s
used
to
create
a
reverse
shell
on
the
victim
system.

MISTCLOAK,
for
its
part,
gets
activated
when
a
user
plugs
in
a
compromised
removable
device
to
a
system,
acting
as
a
launchpad
for
an
encrypted
payload
called
DARKDEW
that’s
capable
of
infecting
removable
drives,
effectively
proliferating
the
infections.

“The
malware
self-replicates
by
infecting
new
removable
drives
that
are
plugged
into
a
compromised
system,
allowing
the
malicious
payloads
to
propagate
to
additional
systems
and
potentially
collect
data
from

air-gapped

systems,”
the
researchers
explained.

The
DARKDEW
dropper
further
serves
to
launch
another
executable
(“DateCheck.exe”),
a
renamed
version
of
a
legitimate,
signed
application
known
as “Razer
Chromium
Render
Process”
that
invokes
the
BLUEHAZE
malware.

BLUEHAZE,
a
launcher
written
in
C/C++,
takes
the
attack
chain
forward
by
starting
a
copy
of
Ncat
to
create
a
reverse
shell
to
a
hardcoded
command-and-control
(C2)
address.

“We
believe
this
activity
showcases
Chinese
operations
to
gain
and
maintain
access
to
public
and
private
entities
for
the
purposes
of
intelligence
collection
related
to
China’s
political
and
commercial
interests,”
the
researchers
said.