USBCulprit
USBCulprit is a piece of malware that was discovered just recently, but cybersecurity researchers suspect that it might have been in use since 2014. This threat is believed to be used by a group known as Cycldek – the same crooks also may go by the names Goblin Panda, Conimes and Hellsing. Their targets are high-value political figures in various regions frequently, but their recent activity appears to be focused on Thailand, Laos and Vietnam. The group uses a wide variety of backdoors, infostealers, and Remote Access Trojans (RATs), but the USBCulprit malware is one of the more impressive threats in their arsenal.
Just Like the Ramsay Malware, USBCulprit also Goes after Air-Gapped Networks
According to cybersecurity experts, USBCulprit is likely to target air-gapped systems exclusively. These systems are not connected to the Internet, and collecting data from them requires the use of very elaborate techniques and malware – this is where USBCulprit comes in. This malware does not possess the ability to connect to a remote control server and, in fact, it does not use any modules that would enable it to use the Internet – instead, it focuses on scanning the infected system for specific file types, and then creates copies of them in a hidden folder. If the malware detects that a removable storage device (such as a USB stick) gets connected to the infected system, it will copy its payload to the storage device alongside the collected files silently.
Since USBCulprit's propagation method is very limited, it is likely that it gets to the infected systems in two ways – it either is executed from an infected USB drive accidentally, or an employee working with the cybercriminals is launching the payload on air-gapped computers manually.
USBCulprit Looks for a Seemingly Random File on Infected Systems
Another interesting feature of the USBCulprit malware is that it will do a very specific check when it is being launched from a USB stick – it will look for the file '1.txt' in a specific system directory on the computers that it will infect. If the file exists in this exact directory, USBCulprit will copy the collected data from the removable storage to the newly compromised system's hard drive. It is not clear what is the purpose of this feature – it is possible that the attackers might have a plan to exfiltrate the collected data from the specifically marked systems. Perhaps, this is done with the use of an undiscovered piece of malware that marks systems by using the '1.txt' file that tells USBCulprit to carry out the additional task.
It seems that Advanced Persistent Threat (APT) groups are willing to experiment more often with the use of malware meant to penetrate air-gapped networks. After discovering the Ramsay malware in May 2020, security researchers have seen yet another malware designed to target air-gapped networks.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.