USB-Driven Threats Orchestrated by UNC4990's Financially-Motivated Campaign
A threat campaign attributed to an uncategorized threat group, UNC4990 employs an expanded arsenal of malware, with a prominent focus on the use of USB devices for initial infection. Mandiant's report of the threat group traces their operations to have been active since at least 2020 with a concentration on targeting Italy-based users. While USB infection has maintained a staple of their tactics, techniques, and procedures (TTPs), new techniques for evasion efforts are observed to utilize popular services including Ars Technica, GitHub, GitLab, and Vimeo, to host their payloads. Mandiant explains the abuse of these legitimate services did not "involve exploiting any known or unknown vulnerabilities in these sites, nor did any of these organizations have anything misconfigured to allow for this abuse. Additionally, the content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign."
UNC4990 starts its attack chain by infecting victims through USB LNK files. Mandiant observed these files often have names like "KINGSTON (32GB).lnk" or "D (32GB).lnk" and use the default Windows drive icon to entice users to double-click them. Once clicked, these LNK files execute a PowerShell script named "explorer.ps1." Explorer.ps1 is an encoded PowerShell script that downloads and decodes an additional payload, which is usually the EMPTYSPACE downloader. Over time, this script has evolved from simple encoding to more complex techniques, such as asymmetric encryption and adding a unique UUID value to track infected hosts. UNC4990 leverages third-party websites like Ars Technica, GitHub, GitLab, Vimeo, and even legitimate-looking URLs on these sites to host encoded payloads and further obfuscate their activities.
EMPTYSPACE, also known as VETTA Loader and BrokerLoader, is a downloader used by UNC4990. Several variants of EMPTYSPACE were found to masquerade itself as a Windows process, "Runtime Broker.” This downloader communicates with a command and control (C2) server over HTTP to download and execute executable payloads. Amongst the various versions of EMPTYSPACE examined by Mandiant, the malware is written in different programming languages such as Node.js, .NET, and Python. These versions differ in their capabilities, including checking for elevated permissions, executing payloads, and communicating with the C2 server. Within UNC4990's arsenal, a malware backdoor tracked as QUIETBOARD is examined to be capable of various malicious activities such as setting up cryptocurrency theft, gathering host information, and initiating communication with its configured C2 server. Manidant notes QUIETBOARD as a multicomponent backdoor with modular expansion capabilities, and it is often dropped after an initial infection, potentially for financial gain.
UNC4990's use of third-party websites for payload hosting is a notable characteristic of their operation. As detailed in a report from Ars Technica themselves on the matter. The outlet shares the threat actors’ use of their site to host encoded payloads in their attack chain. Embedding malicious strings within benign content makes detection challenging. In one instance, they used a pizza image on Ars Technica, which included a malicious Base64-encoded string in the URL, leading to the second stage of the malware.
Mandiant provided a medium confidence assessment of UNC4990 as a financially motivated threat actor. UNC4990's use of USB devices, encoded payloads hosted on legitimate websites, and modular malware components make it a formidable and challenging adversary in the cybersecurity landscape. Given the adversary's prevalent use of USB devices for infections, organizations must prioritize reviewing and enforcing their removable device policies. Strengthening these policies not only bolsters their overall security posture but also serves as an effective mitigation strategy against the initial stage of UNC4990's infections.