Updated on 2022-11-29
US cybersecurity firm Mandiant has discovered a new cyber-espionage group that is heavily active in the Southeast Asian region, where it has targeted public and private sector entities using a novel piece of malware that is currently being spread via infected USB devices. Mandiant said it tracks the group under the temporary name of UNC4191 and that current evidence suggests the group might have a Chinese nexus. Mandiant researchers say the group has heavily focused on targets physically located in the Philippines, although the group’s malware has been seen in other countries, most likely due to it spreading via its target’s internal network. UNC4191 attacks rely on a malware strain named MistCloak that is usually introduced inside networks via an infected USB device. From this initial entry point, the attackers leverage MistCloak to download other Windows trojans named DarkDew and BlueHaze, which act as a backdoor for the group and allow MistCloak to spread to other removable USB devices connected to the compromised network. Read more: Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
Overview
An alleged China-based cyberespionage gang, dubbed UNC4191, was found using USB devices as attack vectors in campaigns against Philippines-based entities. Read more: China-linked UNC4191 APT relies on USB Devices in attacks against entities in the Philippines
