A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday.
The APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos.
“One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data,” Kaspersky said. “This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.”
First observed by CrowdStrike in 2013, Cycldek has a long history of singling out defence, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT.
Exfiltrating Data to Removable Drives
Kaspersky’s analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore — namely a keylogger and an RDP logger that captures details about users connected to a system via RDP.
images from Hacker News