Carding 4 Carders
Professional
- Messages
- 2,730
- Reaction score
- 1,467
- Points
- 113
Protected flash drives were not so secure.
Kaspersky Lab security researchers have discovered a new campaign called TetrisPhantom, in which secure USB drives are used to attack the government systems of countries in the Asia-Pacific region.
Secure USB drives store files in an encrypted part of the device and are used for secure data transfer between systems, including in an isolated environment. Access to the protected section is performed using specialized software that decrypts the contents based on the password provided by the user. One of these programs is UTetris.exe, which is located in the unencrypted part of the USB drive.
Experts found Trojan-infected versions of the UTetris app deployed on secure USB devices during a campaign that lasted at least several years and was aimed at governments in the Asia-Pacific region. TetrisPhantom uses various malware tools, commands, and components that point to a highly skilled and well-funded group.
According to the researchers, the attack involves sophisticated tools and techniques, including:
Kaspersky Lab also provided additional details of the attack using the infected Utetris application, which begins by executing a payload called AcroShell on the target machine. The payload establishes a communication link with the Command and Control server (C2), can receive and execute additional payloads to steal documents and confidential files, as well as collect information about the USB drives used.
Attackers also use the collected information to research and develop other malware, called XMKR, and a Trojan. UTetris.exe. The XMKR module is deployed on a Windows computer and is responsible for infecting secure USB drives connected to the system in order to spread the attack to potentially isolated systems.
XMKR's on-device capabilities include file theft for spyware purposes and writing data to USB drives. Information about the compromised USB drive is then sent to the C2 server when the storage device is connected to an Internet-connected computer infected with AcroShell.
Experts have confirmed that the attacks have been going on for several years, and the main goal of TetrisPhantom is espionage. Researchers note a small number of infected government networks, which indicates a targeted operation.
Kaspersky Lab security researchers have discovered a new campaign called TetrisPhantom, in which secure USB drives are used to attack the government systems of countries in the Asia-Pacific region.
Secure USB drives store files in an encrypted part of the device and are used for secure data transfer between systems, including in an isolated environment. Access to the protected section is performed using specialized software that decrypts the contents based on the password provided by the user. One of these programs is UTetris.exe, which is located in the unencrypted part of the USB drive.
Experts found Trojan-infected versions of the UTetris app deployed on secure USB devices during a campaign that lasted at least several years and was aimed at governments in the Asia-Pacific region. TetrisPhantom uses various malware tools, commands, and components that point to a highly skilled and well-funded group.
According to the researchers, the attack involves sophisticated tools and techniques, including:
- software obfuscation of malware components based on virtualization;
- low-level communication with the USB drive using direct SCSI commands;
- self-replication via connected secure USB drives for distribution to other isolated systems;
- embed code in a legitimate access control program on a USB drive that acts as a malware loader on the new computer
Kaspersky Lab also provided additional details of the attack using the infected Utetris application, which begins by executing a payload called AcroShell on the target machine. The payload establishes a communication link with the Command and Control server (C2), can receive and execute additional payloads to steal documents and confidential files, as well as collect information about the USB drives used.
Attackers also use the collected information to research and develop other malware, called XMKR, and a Trojan. UTetris.exe. The XMKR module is deployed on a Windows computer and is responsible for infecting secure USB drives connected to the system in order to spread the attack to potentially isolated systems.
XMKR's on-device capabilities include file theft for spyware purposes and writing data to USB drives. Information about the compromised USB drive is then sent to the C2 server when the storage device is connected to an Internet-connected computer infected with AcroShell.
Experts have confirmed that the attacks have been going on for several years, and the main goal of TetrisPhantom is espionage. Researchers note a small number of infected government networks, which indicates a targeted operation.
