A malware linked to a Chinese hacking group has managed to spread to Europe, thanks to its ability to “self-propagate,” over USB thumb drives, a cybersecurity vendor says.
The findings come from Check Point, which investigated a malware attack at a health institution in Europe earlier this year. The technical evidence shows the malware bears similarities with attacks from a Chinese espionage group dubbed Mustang Panda.
The cybersecurity vendor then traced the infection back to a USB drive belonging to an employee at the European hospital. The same USB drive had been previously taken to a conference in Asia.
“He (the employee) shared his presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had an infected computer, so his own USB drive unknowingly became infected as a result,” Check Point said.
After returning to Europe, the employee then slotted the USB drive into a hospital computer, thereby spreading the infection to another continent.
Check Point suspects the European health institution was merely “collateral damage,” and not the intended target. That’s because the Chinese hacking group behind the malware, Mustang Panda, has historically targeted countries based in Southeast Asia.
Check Point points out the incident provides an “in-the-wild sighting” of hacking tools the antivirus provider Avast described last December in a report about Mustang Panda. At the time, Avast had uncovered an FTP server the Chinese hacking group was using to host its hacking tools, which included a launcher, written in Delphi, to install malware over a USB drive.
The malware works by hiding all the files in the USB drive. When a user accesses the drive on a computer, they’ll instead see an executable program that bears the USB drive’s name, alongside a folder named “Kaspersky,” a reference to the antivirus company.
The Kaspersky name may fool users into thinking their USB drive has undergone some security protection. But in reality, the executable is a malicious launcher; if the user clicks on it, the malware will begin copying itself to the computer all the while revealing the previously hidden files over the USB drive.
“There is no special technique used in this USB infection flow to automatically run the Delphi launcher. The scheme fully relies on social engineering; the victims can no longer see their files on the drive and are left only with the executable,” Check Point added.
The malware will then install a backdoor on the infected computer, capable of receiving instructions from a command-and-control server and loading other malicious components. It’ll also proceed to infect any future USB drives connected to the computer, making the malware self-propagating.
The incident is a reminder to be careful when using your USB drives. Check Point’s report goes on to say the USB malware from Mustang Panda has also been spotted infecting victims in Russia and Myanmar. You can check out our guide on preventing USB attacks.