UNC4990 Hackers USB Malware Payloads on Media Hosting Platforms, Mandiant Finds

Your USB device can be a source of malware payloads without you knowing.

Cybersecurity firm Mandiant recently discovered that a threat actor known as UNC4990 uses USB devices to inject malware payloads.

Based on the investigation, it was found that they have been exploiting reputable online platforms to host encoded payloads ridden with malware.

Utilizing Trusted Platforms for Covert Operations

UNC4990 Hackers USB Malware Payloads on Media Hosting Platforms, Mandiant Finds
Recently, Mandiant discovered that there's a group of hackers using USB devices to spread infection on media hosting sites. They hide the malware payload on these platforms. Brina Blum from Unsplash

UNC4990 strategically conceals encoded payloads within forums and video descriptions on media hosting platforms. These payloads, disguised as simple text strings, play a crucial role in the attack chain, facilitating the download and execution of malware during cyber assaults, according to Mandiant.

Involuntary Payload Hosting

Bleeping Computer reports that the attack commences when victims unwittingly click on a malicious LNK shortcut file from a USB drive. The file triggers a PowerShell script, explorer.ps1, initiating the download of an intermediary payload named "EMPTYSPACE."

Furthermore, it was also found that the attackers experimented with different hosting methods, from GitHub and GitLab to Vimeo and Ars Technica, using regular site features to host obfuscated payloads without raising suspicion.

Trusting Reputable Platforms for Enhanced Resilience

Hosting payloads on trusted platforms provides UNC4990 with a tactical advantage. These platforms are often trusted by security systems, minimizing the likelihood of being flagged as suspicious. Additionally, leveraging content delivery networks and resilience to takedowns add more sophistication to the threat actor's strategy.

Stealthy Operations and Lucrative Returns

UNC4990's ultimate payload, "QUIETBOARD," is a sophisticated, multi-component backdoor introducing a range of capabilities. From executing commands and Python code to altering clipboards for cryptocurrency theft and gathering detailed system information, QUIETBOARD has proven to be a powerful tool. The associated wallet addresses linked to this campaign have amassed profits exceeding $55,000.

UNC4990's Experimental Approach

Mandiant notes UNC4990's penchant for experimentation, continuously refining attack methodologies and seeking optimal pathways for its attack chain. Despite conventional prevention measures, the threat of USB-based malware remains significant, underscoring the adaptability and persistence of cyber threats.

In summary, UNC4990's exploitation of legitimate sites to conceal malicious payloads challenges the traditional security of news sites.

Cybersecurity measures continue to improve, but cyber incidents still need to be solved. As the experts roll out more effective methods to curb them, hackers are getting smarter to bypass their methods.

Meanwhile, hackers used group chats in Microsoft Teams to infect the systems through the DarkGate malware. Their campaign easily deceived users into downloading the malicious file with a seemingly suspicious name. From here, the malware begins to access the networks.

For more news and updates about cyberattacks, just click here.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics