The Cycldek APT group has added a previously unknown malware dubbed USBCulprit to its arsenal, aimed at reaching air-gapped devices.
Cycldek (a.k.a. Goblin Panda, APT 27 and Conimes) has been targeting governments in Southeast Asia since 2013, according to analysis from Kaspersky, and has been steadily adding more sophisticated tools over time. In the case of USBCulprit, it has been deployed against targets in Vietnam, Thailand and Laos, according to the firm.
“It possesses both lateral movement (ability to move through the network to obtain the targeted data) and data-stealing capabilities,” Kaspersky analysts said in research issued on Wednesday.
They added that USBCulprit’s other features suggest that it was built to reach physically isolated machines, where the only way to transfer inbound and outbound data is with removable media such as a USB drive.
“Once installed, it scans various paths on the infected device, collecting documents that possess certain extensions,” according to the analysis. “These documents are then transferred to USB drives connected to the system. This suggests the malware was designed to reach air-gapped machines, or those that are not directly connected to the internet or any other computer connected to internet.”
Infection Routine
In analyzing the code, Kaspersky found that the first build for the binary dates back to 2014, with the latest sample timestamped last year.
Most observed attacks start with phishing emails that contain politically themed, boobytrapped RTF documents that exploit known vulnerabilities. Once compromised, the victims are infected with a payload malware called NewCore RAT.
“This malware consists of two variants with advanced data stealing capabilities: BlueCore and RedCore,” according to Kaspersky. “BlueCore appears to have been deployed against diplomatic and government targets in Vietnam, while RedCore was first deployed in Vietnam before being found in Laos.”
Both “Cores” in turn download USBCulprit (and other tools, such as a custom backdoor, a tool for stealing cookies and a tool that steals passwords from Chromium based browser databases). The malware is implanted as a side-loaded DLL of legitimate, signed applications.
“Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe),” said the researchers. “These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.”
USBCulprit Under the Hood
Once USBCulprit is loaded to memory and executed, it operates in three phases: Data scanning and recon, data exfiltration to or from a USB device, and lateral movement.
In the data collection stage, the malware calls two functions, named “CUSB::RegHideFileExt” and “CUSB::RegHideFile,” which modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also scans the infected machine to enumerate the files it intends to steal using a function named “CUSB::USBFindFile.” The malware scans for the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf.
“The chosen files are then grouped into encrypted RAR archives,” the researchers wrote, adding that “sought documents can be filtered by their modification date.”
Next up is the info-stealing phase, which also includes functions for capturing USB data. The malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. When it detects that a USB is connected, the malware then determines whether RAR archives should be copied to the removable drive, or if additional data should be taken from it and copied locally.
“To do this, a directory named ‘$Recyc1e.Bin’ will be searched in the drive and if not found, will be created,” according to the analysis. “This directory will be used as the target path for copying files to the drive or source path for obtaining them from it. To understand which direction of file copy should take place, a special marker file named ‘1.txt’ is searched locally. If it exists, the malware would expect to find the aforementioned ‘$Recyc1e.Bin’ directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.”
In the final, lateral-movement stage, the existence of another marker file named ‘2.txt’ will be checked locally to decide if lateral movement should be conducted or not. USBCulprit is also capable of updating itself or extending its execution with further modules “by looking for the existence of predefined files in the USB and executing them.”
Also, some variants issue commands to gather various pieces of host network information, Kaspersky found: “These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.”
The Air-Gap Effect
The researchers noted that USBCuprit uses only removable media as a means of transferring inbound and outbound data. That said, the malware does not automatically execute upon USB connection, which “leads us to believe the malware is supposed to be run manually by a [physically present] human handler,” researchers said.
In one infection, “we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around,” according to the analysis. “This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.”
In all, the findings show that Cycldek is steadily increasing its sophistication, the researchers concluded.
“Our analysis has shown that this group is not the minor, less advanced actor that it was previously believed to be,” said Mark Lechtik, senior security researcher at Kaspersky GReAT, in a media statement. “In fact, it has a much wider presence in Southeast Asia and a much more sophisticated toolset than initial reports suggested.”
“It is also likely that attacks by Cycldek against high-profile targets in Southeast Asia will continue,” added Giampaolo Dedola, senior security researcher at Kaspersky GReAT. “This group’s activity has not only not ceased since 2013, but it continues to evolve by adding new malware and targeting new countries. We will be continuing to monitor Cycldek’s activity.”