In a recent revelation, cybersecurity firm Mandiant has exposed the activities of a financially motivated threat actor known as UNC4990. This sophisticated group is employing a unique combination of USB-based attacks and exploitation of legitimate online platforms, including GitHub, Vimeo, and Ars Technica. By concealing encoded payloads within seemingly harmless content on these platforms, UNC4990 manages to avoid detection and capitalizes on the trust associated with reputable content delivery networks.
UNC4990’s USB-Based Attack Tactics
The actions of UNC4990 involves initiating campaigns through USB devices containing malicious LNK shortcut files. Once these files are executed inadvertently by victims, a PowerShell script named explorer.ps1 is triggered. This script, in turn, downloads an intermediary payload, decoded to reveal a URL fetching the malware downloader called ‘EMPTYSPACE.’
The threat actor deploys various hosting methods for these intermediary payloads, including encoded text files on GitHub and GitLab. However, the group has shifted strategies to exploit Vimeo and Ars Technica for hosting Base64 encoded and AES-encrypted string payloads. Importantly, UNC4990 doesn’t exploit vulnerabilities in these platforms but cleverly uses regular features, such as Ars Technica forum profiles and Vimeo video descriptions.
These payloads, seemingly innocuous text strings within the hosting platforms, play a crucial role in the attack chain, facilitating the download and execution of malware. By embedding malicious payloads within legitimate content and leveraging reputable platforms, UNC4990 manages to operate under the radar, making it challenging for security systems to flag them as suspicious.
UNC4990’s Multi-Component Backdoor: QUIETBOARD
As the UNC4990 attack chain progresses, the threat group deploys QUIETBOARD, a sophisticated backdoor with diverse capabilities. Once activated, this multi-component backdoor executes commands from the command and control (C2) server. Some of its functionalities include altering clipboard content for cryptocurrency theft, infecting USB drives to propagate malware, capturing screenshots for information theft, and gathering detailed system and network information. QUIETBOARD exhibits persistence across system reboots and supports the addition of new functionalities through extra modules.
Despite traditional prevention measures, USB-based malware remains a significant threat, serving as an effective propagation medium for cybercriminals. UNC4990’s innovative approach of using seemingly innocuous platforms for intermediate payloads challenges conventional security paradigms and emphasizes the need for continuous vigilance in the dynamic landscape of cybersecurity.
Protecting Against UNC4990 and Similar Threats
- Enhance Endpoint Security: Strengthen endpoint security measures to detect and prevent the execution of malicious LNK shortcut files and PowerShell scripts.
- USB Device Vigilance: Exercise caution when using USB devices and avoid executing unfamiliar or suspicious files.
- Regular Security Audits: Conduct routine security audits to identify and mitigate vulnerabilities in systems and networks.
- User Education: Educate users about the risks associated with USB-based attacks and the importance of avoiding unknown or unverified content.
- Network Monitoring: Implement robust network monitoring to detect unusual activities and communications that may indicate a compromise.
- Update Security Policies: Regularly update security policies to address evolving threats and reinforce preventive measures.
UNC4990’s tactics underscore the need for a proactive and multi-layered cybersecurity approach. Organizations and individuals alike must stay informed, remain vigilant, and continuously adapt their security practices to thwart emerging threats. In the face of UNC4990’s innovative strategies, a collective effort to bolster cybersecurity resilience is paramount.
