A likely China-based threat actor called Cycldek, which security researchers have previously dismissed as a somewhat marginal group with relatively unsophisticated capabilities, may be considerably more dangerous than previously thought.
Cycldek operators have an extensive foothold in the networks of several high-profile targets in Vietnam, Laos, and Thailand. Since at least 2018, the group (aka Goblin Panda and Conimes) has been using a variety of new tools, tactics, and procedures in attacks against government agencies in these countries.
Among the new tools is one called USBCulprit, which appears designed for use in air-gapped environments where systems are not directly accessible from an external network The malware is a capable of stealing targeted data from an infected system and passing it on to connected USB drives. The malware is programmed to copy itself selectively to certain USB drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into one.
The fact that it profiles the network connectivity of the infected system and copies this information along with stolen documents to removable drives suggests it was mostly designed to target air-gapped machines.
“To deploy USBCulprit on an air-gapped system, the USB would have to be physically connected to it and an operator would have to manually launch the malware’s executable, either on purpose or by mistake,”.The US-led Stuxnet cyberattack that physically destroyed numerous centrifuges at Iran’s Natanz uranium enrichment plant in 2012 is believed to have begun this way, with someone inserting a weaponized USB into a critical system at the facility.
But somewhat puzzlingly, analysis shows that USBCulprit is also able to dump stolen data from a connected USB drive to a local disk on systems that contain a special marker file named “1.txt” in a specific path.This is true regardless of whether the system is connected to the network.
“We can assume that it is either being done by another piece of malware that we don’t have visibility on or that the USBs were picked up by a human handler after data was copied to them, avoiding the need to issue it over the network,”.
The malware doesn’t appear to be distinguishing files based on actual content, so there is no way of identifying the nature of documents that Cyclkdek might be fetching from air-gapped systems in government organizations.
The operators of Cycldek appear to have been using USBCulprit at least since 2014 and modifying it ever since. The latest version contains a feature that suggests the malware’s functionality can be extended with new modules as needed.