In a recent revelation in the world of cybersecurity, a financially motivated hacker has been discovered utilizing USB devices as a means to infiltrate computer systems.
This malicious group has chosen a cunning approach, hiding their harmful software in plain view on widely used platforms like GitHub, Vimeo, and Ars Technica.
Their strategy involves embedding malicious codes within seemingly innocuous content, creating a challenging environment for detection and prevention. We strongly advise our readers to maintain a vigilant stance while navigating the online platforms.
Reassuring our website visitors, we confirm that the peculiar text strings encountered on GitHub and Vimeo pose no harm upon clicking. However, there's a twist: these seemingly harmless strings serve as a key tool for hackers, discreetly facilitating the download and deployment of harmful software in their attacks.
The cybersecurity watchdogs, Mandiant, are actively monitoring this group of hackers identified as UNC4990. Operating in the shadows since 2020, they have specifically targeted individuals in Italy.
The cyber assault unfolds with an unsuspecting individual clicking on a deceptive file on a USB drive. The mystery lies in how these USB devices find their way into the hands of unsuspecting users. Once opened, the file initiates a digital script, explorer.ps1, downloading an intermediary code that reveals a web address. This address acts as the gateway for installing a malware downloader named 'EMPTYSPACE.'
UNC4990 initially employed special files on GitHub and GitLab but later shifted their tactics to Vimeo and Ars Technica, embedding their secret codes in mundane areas on these sites to avoid suspicion.
The harmful PowerShell script, decoded, decrypted, and executed from legitimate sites, leads to the activation of EMPTYSPACE. This payload establishes communication with the hackers' control server, subsequently downloading a sophisticated backdoor called 'QUIETBOARD.'
Additionally, UNC4990 employs this backdoor for crypto mining activities targeting Monero, Ethereum, Dogecoin, and Bitcoin.
The financial gains from this cyber scheme exceed $55,000, not including the hidden Monero.
QUIETBOARD, UNC4990's advanced backdoor, exhibits a wide range of capabilities, including executing commands, cryptocurrency theft, USB drive propagation, screenshot capture, system information collection, and geographical location determination. Mandiant highlights UNC4990's penchant for experimentation to refine their attack strategies.
Despite ongoing efforts to mitigate USB-based malware threats, they persist as a significant danger. The tactic of concealing within reputable sites challenges traditional security measures, underscoring the need for enhanced online safety practices.
In the evolving digital landscape, staying informed and vigilant is paramount. Cyber threats may emerge from unexpected quarters, demanding a proactive approach to cybersecurity.