Despite the evolution of several tools and tactics, threat actors still go with the traditional approach to attack victims for malicious purposes. One such threat actor is UNC4990, which uses USB devices to exploit victims. UNC4990 is a financially motivated threat actor and has been conducting campaigns since 2020.
There has been a continuous evolution of this threat actor’s activities. With that being said, the recent tactics involved the use of popular and legitimate websites such as GitHub, GitLab, Ars Technica and Vimeo.
In addition, the threat actor has been using EMPTYSPACE downloader and QUIETBOARD backdoor. EMPTYSPACE is capable of executing any payload served from the command and control servers, and QUIETBOARD is also delivered using EMPTYSPACE.
Document
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
USB Malware Chained with Text Strings
Initial Vector
According to the reports shared with Cyber Security News, the threat actor begins the infection chain by delivering the USB drives to the victims by any means of social engineering. Once the victim connects the USB to their device, the USB removable device is shown with a shortcut (.LNK extension) under the vendor name.
Infection Chain | Source : Mandiant
When the victims open this malicious LNK shortcut file, it executes a PowerShell script (explorer.ps1), which contains the following command.
“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle has hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1”
The explorer.ps1 is an encoded PowerShell script that checks for specific conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader.
Timeline
From the beginning of 2023, the threat actor replaced GitHub with Vimeo, a video-sharing website. A video was added to Vimeo in which the description had the hard-coded payload. However, this video was removed now. Additionally, the Vimeo URL was also embedded inside the explorer.ps1 script.
In mid of December 2023, it was discovered that the threat actor had been using Ars Technica by using an image embedded with the payload. As a backup, the threat actor had also updated the EMPTY SPACE serving URL, which had an additional string.
Furthermore, there have been several versions of EMPTYSPACE loader used by the threat actor, such as the Node JS version, .NET version, and Python version alongside QUIETBOARD.
This Python-based backdoor can execute arbitrary code, cryptocurrency theft, USB drive infection, screenshotting, information gathering, and C2 communications.
Indicators of Compromise
Host-based IOCs
IOCSHA-256Associated Malware Familyexplorer.ps172f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084bePowerShell Script98594dfae6031c9bdf62a4fe2e2d2821730115d46fca61da9a6cc225c6c4a750d09d1a299c000de6b7986078518fa0defa3278e318c7f69449c02f177d3228f07c793cc33721bae13e200f24e8d9f51251dd017eb799d0172fd647acab0390276fb4945bb73ac3f447fb7af6bd2937395a067a6e0c0900886095436114a17443%TEMP%\Runtime Broker.exea4f20b60a50345ddf3ac71b6e8c5ebcb9d069721b0b0edc822ed2e7569a0bb40EMPTYSPACE Downloader (Node.JS Variant)Runtime Broker.exe8a492973b12f84f49c52216d8c29755597f0b92a02311286b1f75ef5c265c30dEMPTYSPACE Downloader (.NET Variant)C:\Program Files (x86)\WinSoft Update Service\bootstrap.pycV1: 060882f97ace7cb6238e714fd48b3448939699e9f085418af351c42b401a1227EMPTYSPACE Downloader (Python Variant)V2: 8c25b73245ada24d2002936ea0f3bcc296fdcc9071770d81800a2e76bfca3617V3: b9ffba378d4165f003f41a619692a8898aed2e819347b25994f7a5e771045217V4: 84674ae8db63036d1178bb42fa5d1b506c96b3b22ce22a261054ef4d021d2c69C:\Program Files (x86)\WinSoft Update Service\program.pyz15d977dae1726c2944b0b4965980a92d8e8616da20e4d47d74120073cbc701b3QUIETBOARD Backdoor26d93501cb9d85b34f2e14d7d2f3c94501f0aaa518fed97ce2e8d9347990decf26e943db620c024b5e87462c147514c990f380a4861d3025cf8fc1d80a74059aC:\windows\runtimebroker .exe71c9ce52da89c32ee018722683c3ffbc90e4a44c5fba2bd674d28b573fba1fdcQUIETBOARD associated fileC:\Program Files (x86)\pyt37\python37.zip539a79f716cf359dceaa290398bc629010b6e02e47eaed2356074bffa072052fQUIETBOARD associated file
Network-Based IOCs
URL
-
hxxps://bobsmith.apiworld[.]cf/license.php
-
hxxps://arstechnica[.]com/civis/members/frncbf22.1062014/about/
-
hxxps://evinfeoptasw.dedyn[.]io/updater.php
-
hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1
-
hxxps://eldi8.github[.]io/src.txt
-
hxxps://evh001.gitlab[.]io/src.txt
-
hxxps://vimeo[.]com/api/v2/video/804838895.json
-
hxxps[://]monumental[.]ga/wp-admin[.]php
-
hxxp[://]studiofotografico35mm[.]altervista[.]org/updater[.]php
-
hxxp[://]ncnskjhrbefwifjhww[.]tk/updater[.]php
-
hxxp[://]geraldonsboutique[.]altervista[.]org/updater[.]php
-
hxxps[://]wjecpujpanmwm[.]tk/updater[.]php
-
hxxps[://]captcha[.]grouphelp[.]top/updater[.]php
-
hxxps[://]captcha[.]tgbot[.]it/updater[.]php
-
hxxps://luke.compeyson.eu[.]org/runservice/api/public.php
-
hxxps[://]luke[.]compeyson[.]eu[.]org/wp-admin[.]php
-
hxxps://luke.compeyson.eu[.]org/runservice/api/public_result.php
-
hxxps://eu1.microtunnel[.]it/c0s1ta/index.php
-
hxxps[://]davebeerblog[.]eu[.]org/wp-admin[.]php
-
hxxps://lucaespo.altervista[.]org/updater.php
-
hxxps://lucaesposito.herokuapp[.]com/c0s1ta/index.php
-
hxxps://euserv3.herokuapp[.]com/c0s1ta/index.php
