A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.
Google-owned Mandiant said the attacks hit multiple industries, including healthcare, transportation, manufacturing and logistics.
“UNC4990 operations typically involve extensive USB infection followed by deployment of the EMPTYSPACE downloader,” the company said in a Tuesday report.
“During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional steps, which it downloads and decodes via PowerShell early in the execution chain.”
UNC4990, which has been active since late 2020, is projected to operate from Italy based on extensive use of Italian infrastructure for command-and-control (C2) purposes.
It is currently not known whether UNC4990 merely acts as an initial access facilitator for other actors. The ultimate goal of the threat actor is unclear, although one example states that an open-source cryptocurrency miner has been deployed after months of beaconing activity.
Details of the campaign were first documented by Fortgale and Yoroi as early as December 2023, with the former tracking the opponent under the name Nebula Broker.
The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that’s responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermediate PowerShell script hosted on Vimeo.
Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.
A notable aspect of this phase is the use of popular sites such as Ars Technica, GitHub, GitLab, and Vimeo to host the malicious payload.
“The content hosted on these services poses no direct risk to everyday users of these services, as the individual hosted content was completely benign,” the Mandiant researchers said. “Anyone who may have inadvertently clicked on or viewed this content in the past will not be at risk of being compromised.”
QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.
Additionally, the backdoor is capable of running independent Python modules such as modular extensions and coin miners, as well as dynamically fetching and executing Python code from the C2 server.
“The analysis of both EmptySpace and Quitboard shows how threat actors took a modular approach in developing their toolsets,” Mandiant said.
“The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and change the URL when a Vimeo video is removed shows a penchant for experimentation and adaptability on the part of threat actors.”
