Pierluigi Paganini June 04, 2020

A Chinese threat actor tracked as Cycldek (aka Goblin Panda, or Conimes) has developed new tool to steal information from air-gapped systems.

Security experts from Kaspersky Lab reported that the Chinese threat actor tracked as Cycldek (aka Goblin Panda, or Conimes) has developed new tool to steal information from air-gapped systems.

The Cycldek group was first spotted in September 2013, in past campaigns it mainly targeted entities in Southeast Asia using different malware variants, such as PlugX and HttpTunnel.

In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.

GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.

In 2018, the cyberespionage group targeted once again Vietnam running a spear-phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes

The group’s arsenal includes multiple tools for information stealing and lateral movements, some of them are previously unreported.

“One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.” reads the data published by Kaspersky.

Since 2017, the group was observed launching attacks using RTF lure documents with political content related to Vietnam. the messages were dropping a variant of a malicious program named NewCore RAT.

While analyzing NewCore, Kaspersky spotter two different variants named BlueCore and RedCore centered around two clusters of activity. The researchers discovered similarities in both code and infrastructure of the two variants, but they also discovered exclusive features implemented into the RedCore.

“Perhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters.” continues the report. “The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.”

Experts speculate each cluster of activity had a different geographical focus, the operators behind the BlueCore cluster were focused on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster initially targeted Vietnam and later Laos by the end of 2018.

Experts explained that both BlueCore and RedCore malware, downloaded multiple additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems.

Among the tools recently revealed the most important is named USBCulprit, it leverages on USB media in order to exfiltrate victim data, likely because the Cycldek group designed it to target air-gapped networks or relies on physical presence.

Once USBCulprit is loaded to memory and executed, it operates in three phases;

• the malware prepares the environment for the malware’s execution;
• the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive;
• the malware makes lateral movement;

The USBCulprit is able to scan multiple paths, collect documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected removable drive.

The malware was designed to copy itself selectively to certain removable drives in the presence of a particular file, a circumstance that suggests it can be spread laterally to other systems by inserting the infected USB drive.

Kaspersky’s telemetry revealed that USBCulprit was first spotted in the in the wild in 2014, while the latest samples were detected in 2019.

“Cycldek is an example of an actor that has broader capability than publicly perceived.” Kaspersky concluded. “While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.”

Pierluigi Paganini

(SecurityAffairs – USBCulprit, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]