New versions of Chinese espionage malware have been observed spreading rapidly through infected USB drives.
The malicious software tools were discovered by Check Point Research (CPR) as part of an attack against a healthcare institution in Europe and described in an advisory published on Thursday.
The Check Point Incident Response Team (CPIRT) investigated the malware attack and found that it was perpetrated by Camaro Dragon, a Chinese-based espionage threat actor also known as Mustang Panda and LuminousMoth.
Read more on Camaro Dragon: New Backdoor MQsTTang Attributed to Mustang Panda Group
While this threat actor has traditionally focused on Southeast Asian countries, CPR said the incident revealed their global reach.
Initial access was obtained using an infected USB drive. An employee, who had participated in a conference in Asia, reportedly shared his presentation with a colleague using his USB drive, which was consequently infected.
Upon the employee’s return to the healthcare institution in Europe, the infected USB drive introduced the malware, leading to the spread of the infection to the hospital’s computer systems.
The malware is part of a toolset labeled “SSE,” which was described in a report by Avast in late 2022. The infection chain starts with a victim launching a malicious Delphi launcher on the infected USB flash drive, unleashing the main backdoor and infecting other drives when plugged in.
One of the malware’s main variants, WispRider, is particularly potent. It can spread through USB drives using the HopperTick launcher and has additional features, such as a bypass mechanism for SmadAV, a popular antivirus software in Southeast Asia.
The malware also employs DLL-sideloading, using components from security software and two major gaming companies for evasion purposes.
“The consequences of a successful infection are twofold: the malware not only establishes a backdoor on the compromised machine but also spreads itself to newly connected removable drives,” CPR warned.
“This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted.”
The new CPR advisory comes weeks after the company described a separate attack vector, also attributed to Camaro Dragon.