A brand new refined menace tracked as ‘TetrisPhantom’ has been utilizing compromised safe USB drives to focus on authorities programs within the Asia-Pacific area.
Safe USB drives retailer information in an encrypted a part of the gadget and are used to securely switch knowledge between programs, together with these in an air-gapped atmosphere.
Entry to the protected partition is feasible by way of customized software program that decrypts the contents based mostly on a user-provided password. One such software program is UTetris.exe, which is bundled on an unencrypted a part of the USB drive.
Safety researchers found trojanized variations of the UTetris software deployed on safe USB units in an assault marketing campaign that has been operating for no less than just a few years and concentrating on governments within the APAC area.
In response to the most recent Kaspersky’s report on APT developments, TetrisPhantom makes use of numerous instruments, instructions, and malware elements that point out a classy and well-resourced menace group.
“The assault includes refined instruments and strategies, together with virtualization-based software program obfuscation for malware elements, low-level communication with the USB drive utilizing direct SCSI instructions, self-replication by way of related safe USB drives to propagate to different air-gapped programs and injection of code right into a reliable entry administration program on the USB drive which acts as a loader for the malware on a brand new machine.” – Kaspersky
Assault particulars
Kaspersky shared extra particulars with BleepingComputer, explaining that the assault with the trojanized Utetris app begins with executing on the goal machine a payload referred to as AcroShell.
AcroShell establishes a communication line with the attacker’s command and management (C2) server and might fetch and run extra payloads to steal paperwork and delicate information, and acquire particular particulars concerning the USB drives utilized by the goal.
The menace actors additionally use the knowledge gathered this manner for analysis and improvement of one other malware referred to as XMKR and the trojanized UTetris.exe.
“The XMKR module is deployed on a Home windows machine and is liable for compromising safe USB drives related to the system to unfold the assault to doubtlessly air-gapped programs” – Kaspersky
XMKR’s capabilities on the gadget embrace stealing information for espionage functions and the info is written on the USB drives.
The data on the compromised USB is then exfiltrated to the attacker’s server when the storage gadget plugs into an internet-connected pc contaminated with AcroShell.
Kaspersky retrieved and analyzed two malicious Utetris executable variants, one used between September and October 2022 (model 1.0) and one other deployed in authorities networks from October 2022 till now (model 2.0).
Kaspersky says these assaults have been ongoing for no less than just a few years now, with espionage being TetrisPhantom’s fixed focus. The researchers noticed a small variety of infections on authorities networks, indicating a focused operation.
