For years, a China-linked threat actor named Cycldek has been exfiltrating data from air-gapped systems using a previously unreported, custom USB malware family, Kaspersky reports.
Also referred to as Goblin Panda and Conimes, the hacking group has been actively targeting governments in Southeast Asia over the past two years, with its activities separated into two main clusters that are under the supervision of a single entity.
Active since at least 2013, the group is known for its focus on Vietnam, a pattern of activity that has remained unchanged over time. Previously, the threat actor was observed using malware such as PlugX, which was typically leveraged by other Chinese-speaking actors as well, and NewCore RAT.
Over the past two years, the group has remained highly active in Southeast Asia and continued the use of NewCore RAT in attacks, but also switched to other unreported implants and various commodity tools.
Most of the attacks featured a politically themed RTF document served to victims in phishing emails and designed to exploit known Microsoft Office vulnerabilities, including CVE-2012-0158, CVE-2017-11882, and CVE-2018-0802.
The final payload in these attacks is the NewCore RAT, but Kaspersky discovered two variants of the malware being used (referred to as BlueCore and RedCore), which led to the identification of two different clusters of activity.
The variants share similar behavior, run code from DLLs impersonating dependencies of legitimate AV utilities, and leverage similar injected shellcode to run their implants, but also contain clear differences, such as functionality that is present only in RedCore: keylogging, device enumeration, RDP logger, and proxy server.
Both malware versions were ..
Support the originator by clicking the read the rest link below.
