A Chinese threat actor has developed new features to target systems with air gaps to filter sensitive data for espionage, according to a Kaspersky study published yesterday.
The APT, known as Cycldek, Goblin Panda, or Conimes, uses an extensive toolset for sideways movement and theft of information on victim networks, including previously unreported custom tools, tactics, and procedures for attacking government agencies in Vietnam, Thailand, and Laos.
"One of the newly discovered tools is called USBCulprit and relies on USB media to filter victim data," said Kaspersky. "This could indicate that Cycldek is trying to reach networks with air gaps in victim environments, or is relying on physical presence for the same purpose."
Cycldek was first observed by CrowdStrike in 2013 and has a long tradition of identifying defense, energy and government sectors in Southeast Asia, particularly Vietnam, using deception documents that exploit known vulnerabilities (e.g. CVE-2012-0158, CVE- 2017-11882), CVE-2018-0802) in Microsoft Office to delete a malware called NewCore RAT.
Filter data on removable media
Kaspersky's analysis of NewCore revealed two different variants (BlueCore and RedCore), which focused on two activity clusters and had similarities in both code and infrastructure, but also contained functions that were only reserved for RedCore – namely a keylogger and an RDP- Logger that records details of users connected to a system via RDP.
"Each activity cluster had a different geographic focus," said the researchers. "The operators of the BlueCore cluster invested most of their efforts in Vietnamese targets with multiple outliers in Laos and Thailand, while the operators of the RedCore cluster started with a focus on Vietnam and were redirected to Laos by the end of 2018."
Both BlueCore and RedCore implants downloaded a number of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems.
The most important among them is a malware called USBCulprit, which is able to scan a number of paths and collect documents with certain extensions (* .pdf; *. Doc; *. Wps; * docx; * ppt; *. Xls; *. Xlsx; * .pptx; *. Rtf) and export to a connected USB drive.
In addition, the malware is programmed to selectively copy itself to certain removable media so that it can be moved sideways to other systems with an air gap each time an infected USB drive is inserted into another computer.
A telemetry analysis by Kaspersky showed that the first instance of the binary file dates back to 2014. The latest samples were recorded at the end of last year.
The initial infection mechanism is based on the use of malicious binary files that imitate legitimate anti-virus components to load USBCulprit into what is known as DLL search order hijacking before the relevant information is collected, stored in the form of an encrypted RAR archive and the data is transferred to a system connected removable device.
"The characteristics of the malware can lead to several assumptions about its purpose and use cases, one of which is to access and retrieve data from air gap machines," the researchers said. "This would explain the lack of any network communication in the malware and the use of removable media only as a means of transferring incoming and outgoing data."
Ultimately, the similarities and differences between the two malware elements indicate that the actors behind the clusters share code and infrastructure and at the same time act as two different branches under a single, larger unit.
"Cycldek is an example of an actor who has greater abilities than the public," concluded Kaspersky. "While most of the known descriptions of their activities give the impression of a marginalized group with below-average skills, the tools and the time span of the operations show that the group is widespread in the networks of high-profile destinations in Southeast Asia."