Adrian Johnson
TLDR:
- A financially motivated threat actor named UNC4990 has been using USB devices to exploit victims, employing popular and legitimate websites such as GitHub, GitLab, Ars Technica, and Vimeo in their recent tactics.
- The threat actor uses the EMPTYSPACE downloader and QUIETBOARD backdoor to execute payloads and carry out various malicious activities.
Despite the evolution of cyber attack tools and tactics, some threat actors still rely on traditional methods to achieve their malicious goals. UNC4990, a financially motivated threat actor, has been using USB devices to exploit victims. Their recent tactics involve the use of popular and legitimate websites such as GitHub, GitLab, Ars Technica, and Vimeo. The threat actor utilizes the EMPTYSPACE downloader and QUIETBOARD backdoor to carry out their malicious activities.
The infection chain begins with the threat actor delivering USB drives to victims through social engineering. When victims connect the USB to their devices, a shortcut file with a .LNK extension appears under the vendor name. Opening this malicious LNK shortcut file executes a PowerShell script (explorer.ps1) that fetches the EMPTYSPACE downloader. The explorer.ps1 script is an encoded PowerShell script that checks for specific conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader.
From the beginning of 2023, the threat actor started using Vimeo as a replacement for GitHub. They added a video to Vimeo with a hard-coded payload in the video’s description, but the video has since been removed. The Vimeo URL was also embedded inside the explorer.ps1 script. In December 2023, the threat actor was discovered to be using Ars Technica by embedding an image with the payload. They also updated the EMPTY SPACE serving URL with an additional string as a backup.
The threat actor has used several versions of the EMPTYSPACE loader, including Node JS, .NET, and Python variants. They also utilize the QUIETBOARD backdoor, which can execute arbitrary code, carry out cryptocurrency theft, infect USB drives, take screenshots, gather information, and communicate with command and control servers.
Host-based IOCs associated with the threat actor include SHA-256 hashes of various malware files such as explorer.ps1, Runtime Broker.exe, and QUIETBOARD-associated files. Network-based IOCs include URLs related to the threat actor’s activities on websites like Vimeo, Ars Technica, and GitHub.
Overall, UNC4990’s use of USB devices and legitimate websites in their attack strategy underscores the importance of remaining vigilant against traditional cyber threats.
Sources:
