Malware linked to a Chinese hacking group has spread to Europe, thanks to its ability to “self-propagate” over USB thumb drives, a cybersecurity vendor says.
The findings come from Check Point, which investigated a malware attack at a health institution in Europe earlier this year. The technical evidence shows the malware bears similarities to attacks from a Chinese espionage group dubbed Mustang Panda.
Check Point traced the infection back to a USB drive belonging to an employee at the European hospital. The same USB drive was previously taken to a conference in Asia.
The employee "shared his presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had an infected computer, so his own USB drive unknowingly became infected as a result,” Check Point said.
After returning to Europe, the employee then slotted the USB drive into a hospital computer, thereby spreading the infection to another continent.
Check Point suspects the European health institution was merely “collateral damage” and not the intended target. That’s because the Chinese hacking group behind the malware, Mustang Panda, has historically targeted countries based in Southeast Asia.
Check Point points out the incident provides an “in-the-wild sighting” of hacking tools that antivirus provider Avast described last December in a report about Mustang Panda. At the time, Avast had uncovered an FTP server the Chinese hacking group was using to host its hacking tools, which included a launcher, written in Delphi, to install malware on a USB drive.
The malware works by hiding all the files in the USB drive. When a user accesses the drive on a computer, they’ll instead see an executable program that bears the USB drive’s name, alongside a folder named “Kaspersky,” a reference to the antivirus company.
The Kaspersky name may fool users into thinking their USB drive has undergone some security protection. But in reality, the executable is a malicious launcher. If the user clicks on it, the malware will begin copying itself to the computer all the while revealing the previously hidden files on the USB drive.
“There is no special technique used in this USB infection flow to automatically run the Delphi launcher. The scheme fully relies on social engineering; the victims can no longer see their files on the drive and are left only with the executable,” Check Point added.
The malware will then install a backdoor on the infected computer, capable of receiving instructions from a command-and-control server and loading other malicious components. It’ll also infect any future USB drives connected to the computer, making the malware self-propagating.
The incident is a reminder to be careful when using your USB drives. Check Point’s report says the USB malware from Mustang Panda was also spotted infecting victims in Russia and Myanmar. You can check out our guide on preventing USB attacks.
Check Point added: "Users should exercise caution when utilizing the same USB across multiple networks and PCs. Additionally, they should be mindful of the content they interact with on USB devices. It is crucial for corporations to ensure that their endpoint solutions also include USB scanning capabilities."