Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

Jan 31, 2024NewsroomCryptocurrency / Cybersecurity

A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.

“UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader,” the company said in a Tuesday report.

“During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain.”

UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.

It’s currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat actor is also not clear, although in one instance an open-source cryptocurrency miner is said to have been deployed after months of beaconing activity.

Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023, with the former tracking the adversary under the name Nebula Broker.

The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that’s responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script hosted on Vimeo.

Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.

A notable aspect of this phase is the use of popular sites like Ars Technica, GitHub, GitLab, and Vimeo for hosting the malicious payload.

“The content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign,” Mandiant researchers said. “Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised.”

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.

Additionally, the backdoor is capable of modular expansion and running independent Python modules like coin miners as well as dynamically fetching and executing Python code from the C2 server.

“The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset,” Mandiant said.

“The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors’ side.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

You May Also Like

5 thoughts on “Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

  1. Копировальные услуги в Санкт-Петербурге [url=]Полиграфия СЃРїР± дешево дружба[/url] и [url=]Копицентр адреса РІ санкт петербурге РљРѕРїРё центры СЃРїР±[/url]

  2. Good day!
    Struggling with your thesis, research paper,case study or homework?
    With our writers, you’ll never have to worry about sleepless nights again because you can get your papers, written by professionals in no time.


    You submit your instructions and pay for the work
    We assign professional writer for your assignment
    Work one on one with your writer and support specialist till you get perfect result.
    You receive a completed paper within the deadline

    >> [url=]Get your discount now![/url] <> [url=]Order now[/url] <<

    Let us take care of your assignments while you spend your time on the things that interest you most.

    We are here to help anyone who has done a search on words and phrases such as:
    engineering paper title block
    parents are becoming dependent on technology essay
    essay 怎么 写
    problem solving/technology cd
    response essay harry potter and the technology of magic
    biology reproduction and cells using paper
    university of pittsburgh first year engineering paper engineering ethica
    how to cite sources for an economics paper
    risk analysis in business decision making essay
    Ш§Щ„Щ€Щ€Ш±ШЇ 2013
    how chemistry help in our daily life
    what test of statistics and numerical problem solving at ocfa
    case study procter gamble global business services analysis
    essay question how will you finance college
    nuclear chemistry case study
    example of business expansion process essay
    is technology making us dumber synthesis essay
    international paper engineering interships
    essay order online
    three realworld applications of text mining to solve specific business problems by derick jose
    essay on business plans
    international business research paper ideas

  3. Копировальные услуги в Санкт-Петербурге [url=]Типография СЃРїР± дешево 3up[/url] и [url=]Типография СЃРїР± Копировальный центр[/url]

  4. Копировальные услуги в Санкт-Петербурге [url=]Копицентр РЅР° карте СЃРїР± 79l[/url] и [url=]Онлайн-конструктор для создания холстов СЃРїР± Онлайн конструктор для полиграфии[/url]

  5. Привет! Появился вопрос про [url=]деньги в долг не банк[/url]? Предлагаем надежный источник финансовой помощи. Вы можете получить финансирование в долг без лишних вопросов и документов? Тогда обратитесь к нам! Мы предоставляем выгодные условия кредитования, быстрое решение и обеспечение конфиденциальности. Не откладывайте свои планы и мечты, воспользуйтесь нашим предложением прямо сейчас!

Leave a Reply

Your email address will not be published. Required fields are marked *

Unique Visitors
» 4,431 Today
» 42,130 Yesterday
» 108,249 This Week
» 560,391 This Month
» 3,253,678 This Year
» 19,488,773 Total (since 2019-12-11)
» Record: 205,757 (2023-08-13)
Counter by DarkWeb.Solutions