For years, a China-linked threat actor named Cycldek has been exfiltrating data from air-gapped systems using a previously unreported, custom USB malware family, Kaspersky reports.
Also referred to as Goblin Panda and Conimes, the hacking group has been actively targeting governments in Southeast Asia over the past two years, with its activities separated into two main clusters that are under the supervision of a single entity.
Active since at least 2013, the group is known for its focus on Vietnam, a pattern of activity that has remained unchanged over time. Previously, the threat actor was observed using malware such as PlugX, which was typically leveraged by other Chinese-speaking actors as well, and NewCore RAT.
Over the past two years, the group has remained highly active in Southeast Asia and continued the use of NewCore RAT in attacks, but also switched to other unreported implants and various commodity tools.
Most of the attacks featured a politically themed RTF document served to victims in phishing emails and designed to exploit known Microsoft Office vulnerabilities, including CVE-2012-0158, CVE-2017-11882, and CVE-2018-0802.
The final payload in these attacks is the NewCore RAT, but Kaspersky discovered two variants of the malware being used (referred to as BlueCore and RedCore), which led to the identification of two different clusters of activity.
The variants share similar behavior, run code from DLLs impersonating dependencies of legitimate AV utilities, and leverage similar injected shellcode to run their implants, but also contain clear differences, such as functionality that is present only in RedCore: keylogging, device enumeration, RDP logger, and proxy server.
Both malware versions were used to target diplomatic and government entities, but each was focused on a different geography, Kaspersky believes. The BlueCore operators mainly targeted Vietnam and launched several attacks on Laos and Thailand, while the RedCore operators started with Vietnam but switched focus to Laos by the end of 2018.
“Furthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups,” Kaspersky’s security researchers explain.
One such tool is USBCulprit, a piece of previously unreported malware that was observed being downloaded by RedCore implants and which can scan various paths in victim machines and collect specific documents and pass them on to USB drives that are connected to the system.
“It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually,” Kaspersky says.
USBCulprit, the researchers note, has been in use since 2014, with the most recent samples released at the end of 2019. Since 2017, the malware has had the capability to execute files with a given name from a connected USB, which indicates an ability to extend functionality through modules, the researchers say.
In preparation for its execution, the malware modifies registry keys to hide the extensions of files in Windows and ensure hidden files are not shown to the user, then writes several files to disk. It also scans the disk to collect files for exfiltration, including documents with the extensions *.pdf, *.doc, *.wps, *docx, *ppt, *.xls, *.xlsx, *.pptx and *.rtf.
These files are stored in encrypted RAR archives and then written to removable drives connected to the machine. The malware wakes at specific intervals to check for connected drives and write data to them, if a certain marker is found locally.
The malware is also capable of lateral movement: based on the existence of another marker, it would copy its binary to the same folder on the USB drive where the files for exfiltration are located. Because no mechanism to trigger the malware’s execution upon USB connection was found, the researchers believe it is supposed to be run manually by a human handler.
“The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data,” the researchers note.
In addition to USBCulprit, both BlueCore and RedCore fetched other tools for lateral movement or information stealing, including BrowserHistoryView, ProcDump, Nbtscan, and PsExec. Other tools were either developed fully by the attackers or customized for specific attack scenarios: custom HDoor (full-featured backdoor capabilities), JsonCookies (steals cookies from the SQLite databases of Chromium-based browsers), and ChromePass (steals saved passwords from Chromium-based browser databases).
“Cycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia,” Kaspersky concludes.