Mandiant details UNC4191 cyber espionage activity using USB devices as initial infection vector

Mandiant released details on identified cyber espionage activity, currently being tracked as UNC4191, which leverages USB devices as an initial infection vector, and concentrates on the Philippines. These operations have affected various public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and the APJ (Asia Pacific and Japan) region. However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines, with a likely Chinese-nexus.

“Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE,” Mandiant researchers wrote in a Monday post. “Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor. The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems,” they added.

The researchers said that based on available data, such as PE compile timestamps for the malware involved in the aforementioned activity, the UNC4191 campaign potentially extends back to last September. 

“Given the worming nature of the malware involved, we may have detected the later stages of this malware’s proliferation,” the researchers said. “We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant,” they added.

Mandiant splits the overall infection cycle from the UNC4191 campaign into three distinct phases. 

In the first phase, the infection chain begins when a user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volume, Mandiant researchers said. “The initial binaries—named Removable Drive[dot]exe or USB Drive[dot]exe—are versions of a legitimately signed application called USB Network Gate, developed by the company Electronic Team, Inc. These are used to side-load the MISTCLOAK malware that impersonates a legitimate DLL,” they added.

The researchers said that the renamed USB Network Gate binaries load a MISTCLOAK DLL named u2ec[dot]dll from the execution directory on the removable device. MISTCLOAK is a launcher for the encrypted file usb[dot]ini, which MISTCLOAK reads from the current directory or the path. Mandiant identified the PDB file in the MISTCLOAK sample, with Chinese characters that translate to ‘disk hijacking.’ MISTCLOAK then opens Windows Explorer to the location on the removable device where the user files are stored with the command ‘explorer[dot]exe.’

In the second phase of the UNC4191 campaign, the researchers said that the file usb[dot]ini contains an encrypted DLL payload called DARKDEW that is capable of infecting removable drives. If executed from a removable drive, DARKDEW will launch explorer[dot]exe via `explorer[dot]exe “<drive>:\autorun.inf\Protection for Autorun”` where <drive> is a removable drive letter, such as “E”. DARKDEW will then check if either C:\ProgramData\udisk\disk_watch.exe or   C:\ProgramData\udisk\DateCheck.exe exist and will create the directory C:\ProgramData\udisk if neither is found.

The researchers said that DARKDEW then proceeds to copy every file from <drive>:\autorun.inf\Protection for Autorun\System Volume Information\ to C:\ProgramData\udisk\. Mandiant identified files in this directory, such as Removable Drive (16GB).lnk, that originated from a system that was previously compromised by DARKDEW and copied to a USB device. The copied data includes the files and arbitrary files with the extensions: xlsx, docx, mp4, device, jpg, pptx, pdf, txt, and lnk files.

DARKDEW will then copy the renamed USB Network Gate binary (e.g., Removable Drive.exe) to C:\ProgramData\udisk\disk_watch[dot]exe and create persistence with a registry key value named ‘udisk’ under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Finally, DARKDEW will launch a file named C:\ProgramData\udisk\DateCheck[dot]exe and then exit.

The Mandiant researchers said that if DARKDEW is executed from a non-removable drive, the behavior is slightly different. DARKDEW will create the directory C:\ProgramData\udisk\, then copy every file in the current directory of the parent executable to C:\ProgramData\udisk\. It will then copy the parent executable to C:\ProgramData\udisk\disk_watch[dot]exe and launch it. The persistence mechanism is identical, and it will also launch C:\ProgramData\udisk\DateCheck[dot]exe. 

“When DARKDEW is executed within the context of disk_watch.exe, the malware will scan the system every 10 seconds for removable drives by enumerating volumes from A to Z until it finds one that is removable,” according to the researchers. “The DARKDEW malware then creates the directory <drive>\autorun.inf\Protection for Autorun\, sets its attribute to hidden, and copies the contents of the current working directory of disk_watch.exe to that directory or the subdirectory <drive>:\autorun.inf\Protection for Autorun\System Volume Information\. This capability appears to be a method for self-replication and to transfer files that may be collected from air-gapped systems,” they added.

In the third phase of the UNC4191 campaign, the Mandiant researchers said that the binary DateCheck[dot]exe is a renamed version of a legitimate, signed application called Razer Chromium Render Process by Razer USA Ltd. The renamed Razor application, DateCheck[dot]exe, loads the legitimate file, which calls the getRoot function from the BLUEHAZE malware during C runtime startup. 

Mandiant said it will continue to monitor UNC4191’s campaign and provide notable and dynamic updates regarding changes in tactics and techniques, the introduction of tools with new capabilities, or the use of new infrastructure to carry out its mission.

Honeywell has in its August report revealed that 52 percent of threats were specifically designed to utilize removable media, up from 37 percent the previous year. It has more than doubled from the 19 percent recorded in the 2020 study, indicating that the threats designed to use USB removable media have reached a dangerously high level. Additionally, threats designed to establish remote access capabilities remained steady at 51 percent, remaining consistent with the 2021 level, though the threat level remains high. Furthermore, of the threats seen, Trojans still dominated, once again comprising 76 percent of the malware detected.   

In September, Mandiant released details of an APT42 Iranian state-sponsored cyber espionage group that relies primarily on highly targeted social engineering efforts to achieve its objectives against individuals and organizations of interest to the Iranian government. The firm said that APT42 would continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.