Woburn, MA – June 3 , 2020 —Kaspersky researchers are sharing new details of an increasingly more sophisticated toolset being deployed by APT group Cycldek, which has been targeting governments in Southeast Asia since 2013. Among the findings was a previously unknown malware dubbed USBCulprit that possesses both lateral movement and information stealing capabilities. Not only does this malware strengthen the group’s already advanced toolkit, but it also gives the actors the capability to reach air-gapped devices that are physically isolated and not directly connected to the internet.
Cycldek (also known as Goblin Panda, APT 27 and Conimes) primarily focuses on high-profile targets in Southeast Asia including large organizations and government entities. Kaspersky researchers have been closely following their most recent cyberespionage activity, dating from 2018, against government organizations across several Southeast Asian countries including Vietnam, Thailand and Laos. In doing so, researchers discovered a much more advanced hacking strategy than expected.
Post 2018, most attacks have been initiated with a phishing email that contains a politically-themed RTF document. The group leverages known vulnerabilities in these documents to drop the malicious payload malware called NewCore RAT. This malware consists of two variants with advanced data stealing capabilities: BlueCore and RedCore. BlueCore appears to have been deployed against diplomatic and government targets in Vietnam, while RedCore was first deployed in Vietnam before being found in Laos. Both download the previously unknown malware known as USBCulprit.
USBCulprit has been active since 2014, with new samples emerging as late as 2019. It possesses both lateral movement (ability to move through the network to obtain the targeted data) and data stealing capabilities. Once installed, it scans various paths on the infected device, collecting documents that possess certain extensions. These documents are then transferred to USB drives connected to the system. This suggests the malware was designed to reach air-gapped machines, or those that are not directly connected to the internet or any other computer connected to internet. Often times these devices are physically isolated as well meaning the only way to transfer inbound and outbound data is with removable media such as a USB drive.
Examples of proprietary malware named USBCulprit downloaded from servers of both BlueCore and Red-Core
Since the malware is not automatically launched once the infected USB is connected to a machine, it is possible that the malware was meant to be physically deployed using a human operator.
USBCulprit is capable of targeting specific files, including those last modified beyond a certain timestamp, as well as extending its capabilities. Later versions of the malware can also execute files with certain names from connected USBs. Overall, it is a sophisticated addition to a growing list of proprietary tools used by this group. Others include a custom backdoor, a tool for stealing cookies and a tool that steals passwords from Chromium based browser databases.
“Our analysis has shown that this group is not the minor, less advanced actor that it was previously believed to be,” said Mark Lechtik, senior security researcher at Kaspersky GReAT. “In fact, it has a much wider presence in Southeast Asia and a much more sophisticated toolset than initial reports suggested.”
“It is also likely that attacks by Cycldek against high-profile targets in Southeast Asia will continue,” adds Giampaolo Dedola, senior security researcher at Kaspersky GReAT. “This group’s activity has not only not ceased since 2013, but it continues to evolve by adding new malware and targeting new countries. We will be continuing to monitor Cycldek’s activity.”
For more information on Cycldek, please visit Securelist.com.
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812
