China-Linked Threat Actors Utilize Infected USB Drives to Spread Malware

Check Point Research (CPR) recently discovered a new version of self-propagating malware that spreads through infected USB drives. The cybersecurity company identified this trojan in early 2023, while investigating a cyberattack incident at a European healthcare institution.

The malware has been linked to the Chinese-based espionage threat actor, Camaro Dragon, whose modus operandi is quite similar to Mustang Panda and LuminousMoth.

The primary target of the threat actor has generally been Southeast Asian countries, as CPR found similar USB-related infections in Myanmar, South Korea, Great Britain, India, and Russia. However, the current malware incident revealed the global reach of this group.

During the investigation, it was revealed that the European hospital was not the primary target. The malware had spread due to an employee’s compromised USB drive. The employee had participated in a conference in Asia and used his USB to share his presentation, which led to the drive being infected.

Upon his return to Europe, the employee introduced the USB to the hospital’s computer system when led to the spread of the malware.

The investigation further revealed that the malware is a part of a set of tools discussed by Avast in its 2022 report. The tools were dubbed as SSE. The infection chain starts when the target connects the infected USB flash drive to launch the malicious Delphi launcher known as HopperTick. The main payload variant of the malware, WispRider functions both as a backdoor and tool to infect devices when they connect to a machine.

WispRider also has additional features like bypassing SmadAV, an Indonesian antivirus solution popular in Southeast Asia. To avoid detection, it also deploys DLL side-loading using security software components of two gaming companies and G-DATA, warned CPR.

‘’The ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential impact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted,’’ said CPR.

The increasing usage of USB drives as a vector to spread malware by Chinese threat actors has been cited in various industry reports, including the 2022 Mandiant report on China and UNC4191’s cyber espionage activity.