A caller blase threat tracked arsenic ‘TetrisPhantom’ has been utilizing compromised unafraid USB drives to target authorities systems successful nan Asia-Pacific region.
Secure USB drives shop files successful an encrypted portion of nan instrumentality and are utilized to safely transportation information betwixt systems, including those successful an air-gapped environment.
Access to nan protected partition is imaginable done civilization package that decrypts nan contents based connected a user-provided password. One specified package is UTetris.exe, which is bundled connected an unencrypted portion of nan USB drive.
Security researchers discovered trojanized versions of nan UTetris exertion deployed connected unafraid USB devices successful an onslaught run that has been moving for astatine slightest a fewer years and targeting governments successful nan APAC region.
According to nan latest Kaspersky’s report on APT trends, TetrisPhantom uses various tools, commands, and malware components that bespeak a blase and well-resourced threat group.
“The onslaught comprises blase devices and techniques, including virtualization-based package obfuscation for malware components, low-level connection pinch nan USB thrust utilizing nonstop SCSI commands, self-replication done connected unafraid USB drives to propagate to different air-gapped systems and injection of codification into a morganatic entree guidance programme connected nan USB thrust which acts arsenic a loader for nan malware connected a caller machine.” - Kaspersky
Kaspersky shared further specifications pinch BleepingComputer, explaining that nan onslaught pinch nan trojanized Utetris app starts pinch executing connected nan target instrumentality a payload called AcroShell.
AcroShell establishes a connection line with nan attacker’s bid and power (C2) server and tin fetch and tally further payloads to bargain documents and delicate files, and cod circumstantial specifications astir nan USB drives utilized by nan target.
The threat actors besides usage nan accusation gathered this measurement for investigation and improvement of different malware called XMKR and nan trojanized UTetris.exe.
"The XMKR module is deployed connected a Windows instrumentality and is responsible for compromising unafraid USB drives connected to nan strategy to dispersed nan onslaught to perchance air-gapped systems" - Kaspersky
XMKR’s capabilities connected nan instrumentality see stealing files for espionage purposes and nan information is written connected nan USB drives.
The accusation connected nan compromised USB is past exfiltrated to nan attacker's server erstwhile nan retention device plugs into an internet-connected computer infected pinch AcroShell.
Kaspersky retrieved and analyzed 2 malicious Utetris executable variants, 1 used between September and October 2022 (version 1.0) and different deployed successful authorities networks from October 2022 until now (version 2.0).
Kaspersky says these attacks person been ongoing for astatine slightest a fewer years now, pinch espionage being TetrisPhantom's changeless focus. The researchers observed a mini number of infections connected authorities networks, indicating a targeted operation.