New Light Shed on Risk from Chinese-linked USB Threat
State sponsored APT threat
Overt Operator
June 23, 2023
In a groundbreaking revelation, Check Point Research (CPR) has shed light on a new version of a Chinese state-sponsored Advanced Persistent Threat (APT) malware that spreads through infected USB drives, warning that such attacks can cross network borders and physical continents with ease.
The discovery followed a disturbing malware attack at a healthcare institution in Europe. The incident highlighted the activities of Camaro Dragon, a Chinese-based espionage threat actor, also known as Mustang Panda and LuminousMoth. Historically, their primary focus has been Southeast Asian countries, but this latest discovery reveals a more extensive global reach. It also underscores the alarming role that USB drives play in spreading malware.
The malware infiltrated the healthcare institution's systems via an infected USB drive belonging to an employee who had attended a conference in Asia. The USB drive became infected after being shared with a colleague whose computer was already compromised. Upon returning to Europe, the employee inadvertently introduced the infected USB drive into the hospital's computer systems, leading to a wider spread of the infection, media reports explained.
CPR's investigation into the incident led to the discovery of newer versions of the malware, including one variant known as WispRider. This evolved payload, equipped with backdoor functionality and the ability to spread through USB drives, emerged as the primary cause of the infection. WispRider also boasts additional features, including a bypass mechanism for SmadAV, popular antivirus software in Southeast Asia, and uses components from security software like G-DATA Total Security and major gaming companies like Electronic Arts and Riot Games for evasion purposes.
This report confirms that Chinese-affiliated threat actors continue to harness the power of USB devices as an infection vector, emphasizing the urgent need for organizations to protect their assets. CPR recommends several measures for organizations to guard against similar USB-based attacks.