China-linked UNC4191 APT relies on USB Devices in attacks against entities in the Philippines

An alleged China-linked cyberespionage group, tracked as UNC4191, used USB devices in attacks aimed at Philippines entities.

Mandiant researchers spotted an alleged China-linked cyberespionage group, tracked as UNC4191, leveraging USB devices as attack vectors in campaigns aimed at Philippines entities.

This campaign has been active dates as far back as September 2021 and targeted public and private sector entities primarily in Southeast Asia, along with organizations in the U.S., Europe, and APJ

“UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ; however, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.” reads the analysis published by Mandiant.

The attackers leveraged legitimately signed binaries to side-load malware, experts observed the use of three new families tracked by Mandiant as MISTCLOAK, DARKDEW, and BLUEHAZE. Below are reported the details of the above malware families:

Malware Family	Description
MISTCLOAK	MISTCLOAK is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.
BLUEHAZE	BLUEHAZE is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).
DARKDEW	DARKDEW is a dropper written in C++ that is capable of infecting removable drives.
NCAT	NCAT is a command-line networking utility that was written for the Nmap Project to perform a wide-variety of security and administration tasks. While NCAT may be used for legitimate purposes, threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.

“The infection chain begins when a user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volume (T1091). The initial binaries—named Removable Drive.exe or USB Drive.exe—are versions of a legitimately signed application called USB Network Gate, developed by the company Electronic Team, Inc.” continues the report. “These are used to side-load the MISTCLOAK malware that impersonates a legitimate DLL.”

Once the target system has been compromised, UNC4191 deploys a renamed NCAT binary and executes a reverse shell to maintain a foothold in the infected system.

The malicious code shows wormable capabilities and replicates by infecting new removable drives that are plugged into a compromised system. This means that the malicious payloads propagate to additional systems and potentially compromise air-gapped systems.

Mandiant researchers observed threat actors enumerating domain trusts and querying domain and local group permissions in a time span of several minutes.

“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.” Mandiant concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UNC4191)

[adrotate banner=”5″]

[adrotate banner=”13″]