Security Researcher from Mandiant (Part of Google Cloud) Identified a threat group which use USB devices as initial vector of infection and mainly targeted to Philippines audience. Also Mandiant found a Chinese connection in this activity and identifies this activity as UNC4191.
Researcher tracking the malware families MISTCLOAK (used in phase 1), BLUEHAZE(used in phase 2) amd DARKDEW (used in phase3) and based on the tracking, researcher speculate that this activity run since September 21 .
It begin when someone plugin the compromised usb device and run the executable which resides in the root of removable storage. Executable is legitimate signed application used to side-load the MISTCLOAK which is a launcher for usb.ini , it is DLL payload of DARKDEW. BLUEHAZE Malware called by legitimate, signed application Razer Chromium Render Process by Razer USA Ltd.
Read full report from Mandiant
No comments:
Post a Comment