Threat Management, Malware

Malicious USB drives part of new self-propagating malware campaign

Camaro Dragon spreading self-propagating malware through USB drives

Researchers discovered a new variant of a self-propagating malware actively being spread via USB drives by what they say are China state-backed advanced persistent threat (APT) operation dubbed Camaro Dragon.

Check Point Research (CPR) reports it has identified several new variants of the malware while investigating a cybersecurity event at a European healthcare facility. In a report released Thursday, Researchers said the incident “highlights the alarming role USB drives play in spreading malware”.

CPR researchers said the healthcare facility was infected after a staff member attending a conference in Asia shared their USB drive with a colleague whose computer was infected, and the malware was passed onto the drive.

“Upon returning to his home hospital in Europe, the employee introduced the infected USB drive to the hospital’s computer systems, which led the infection to spread,” the report said.

Camaro Dragon, an espionage-focused group also known as Mustang Panda and LuminousMoth, has traditionally focused its attacks on Southeast Asian countries. It has been linked to previous campaigns where USB drives were used to spread infections.

CPR said the European hospital infection amounted to an in-the-wild sighting of an exploitation described in a December 2022 report by Avast about a set of malicious tools staged on distribution servers attributed to the threat group.

It also demonstrated how USB-enabled malware infections originating in Southeast Asia could “spread uncontrollably to different networks around the globe, even if those networks are not the threat actors’ primary targets”.

Infected USBs infiltrate isolated systems

“The Camaro Dragon APT group continues to employ USB devices as a method for infecting targeted systems, effectively combining this technique with other established tactics,” the report said.

When a system was infected, the malware not only established a backdoor on the compromised machine, it was also able to spread itself to any USB drives that were subsequently connected to the system.

“The ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential impact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted.”

When a USB drive was inserted into an infected computer the malware concealed the user’s files on the drive and added an executable (.exe) launcher with the same name as the drive and a USB thumb drive icon. When the user, not seeing their files, clicked on the executable, they triggered the infection.

“The launcher reveals all of the victim’s previously hidden files and is responsible for unleashing the main backdoor and infecting each new drive it [USB drive] interacts with.”

New malware variants discovered

As it continued tracking Camaro Dragon, Check Point Research found a number of new versions of the malware used in the European hospital infection.

One new variant of the payload, which it tracks as WispRider, has new backdoor functionality and a mechanism to bypass SmadAV, a popular antivirus software in Southeast Asia.

“It even resorts to DLL-sideloading, using for evasion purposes components from security software like G-DATA Total Security, as well as major gaming companies like Electronic Arts and Riot Games,” CPR said.

WispRider is spread through USB drives using a launcher the researchers track as HopperTick. Both tools share infrastructure and operational goals with other recently discovered malware aligned with Camaro Dragon, including a backdoor, TinyNote, and a malicious router firmware implant, HorseShell.

CPR said its findings, along with other industry research, confirmed that Camaro Dragon and other Chinese affiliated threat actors were continuing to harness the power of USB devices as an infection vector.

“Their reliance on USB drives to facilitate malware propagation underscores the urgent need for organizations to be vigilant and take steps to protect their assets.” The researcher said organizations needed to educate staff about the potential dangers of using USB drives, implement robust device management policies, and consider alternative solutions such as cloud storage or encrypted file-sharing platforms.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.