According to Google-owned Mandiant, a China-linked cyberespionage group identified as UNC4191 has been seen infecting targets with self-replicating malware on USB drives, and this method may allow them to steal data from air-gapped systems.
UNC4191 has been seen using legally signed binaries to side-load malware on public and private servers in Southeast Asia, the Asia-Pacific, Europe, and the US, with a particular focus on the Philippines. The threat actor employed malware families like the Mistcloak launcher, Darkdew dropper, and Bluehaze launcher as part of the activity under investigation.
Also Read: Analyzing CISA’s Cross-Industries Cybersecurity Performance Objectives
To gain backdoor access to the compromised system, the attackers also set up a reverse shell and the networking tool NCAT on the target machine.
Read More: Self-Replicating Malware Used by Chinese Cyberspies Spreads via USB Drives
