A likely China-based threat actor called Cycldek, which security researchers have previously dismissed as a somewhat marginal group with relatively unsophisticated capabilities, may be considerably more dangerous than previously thought.
That's security vendor Kaspersky's analysis after a new examination of the threat group's malware toolset and operations. In a report this week, Kaspersky researchers describe finding numerous nuggets of, until now, unknown information suggesting that Cycldek operators have an extensive foothold in the networks of several high-profile targets in Vietnam, Laos, and Thailand. Since at least 2018, the group (aka Goblin Panda and Conimes) has been using a variety of new tools, tactics, and procedures in attacks against government agencies in these countries, Kasperksy says.
Among the new tools is one called USBCulprit, which appears designed for use in air-gapped environments where systems are not directly accessible from an external network. According to Kasperksy, its analysis shows the malware is a capable of stealing targeted data from an infected system and passing it on to connected USB drives. The malware is programmed to copy itself selectively to certain USB drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into one.
Mark Lechtik, senior security researcher at Kaspersky, says USBCulprit has no capability of communicating over the network and can only pass any information it has stolen to physical media. The fact that it profiles the network connectivity of the infected system and copies this information along with stolen documents to removable drives suggests it was mostly designed to target air-gapped machines, he says.
< ..
Support the originator by clicking the read the rest link below.
