A recent incident at a healthcare institution in Europe has brought to light the resurgence of espionage malware that spreads through infected USB drives. This malware, known as WispRider, was discovered by researchers at Check Point Research. The campaign is believed to be the work of a Chinese-state-sponsored APT group that Check Point tracks as “Camaro Dragon,” but is more commonly known as Mustang Panda.
The malware was first discovered when an employee, who had attended a conference in Asia, returned with an infected USB drive. This employee unknowingly introduced the malware into the healthcare institution’s computer systems, leading to its spread. This incident demonstrates how the APT group, previously focused on organizations in Southeast Asia, is now expanding its reach globally.
The researchers also highlighted the alarming role that USB drives play in spreading malware. USB drives have the ability to self-propagate infections, even beyond their intended targets. This makes them a potent carrier of malware, particularly in air-gapped systems where traditional network-based attacks are not possible.
The main payload of the WispRider campaign is the backdoor malware of the same name. This malware has evolved over time and is now more sophisticated than before. It uses a launcher called HopperTick to propagate through USB drives and includes a bypass for SmadAV, an antivirus solution popular in Southeast Asia. The malware also utilizes components of security software and major gaming companies to perform DLL-side-loading.
The researchers noted that WispRider and HopperTick align with other tools used by Mustang Panda, such as TinyNote and HorseShell. These similarities in infrastructure and operational goals allow for attribution to the Chinese APT group.
The infection process of WispRider begins when a benign USB drive is inserted into an infected computer. The malware manipulates the files on the USB drive, creating hidden folders and copying a Delphi loader onto the drive. When victims attempt to view their files, they unwittingly trigger the infection process on their machines.
WispRider acts as both an infector and a backdoor. It can run from an infected machine or infect a new machine if it hasn’t already been compromised. The researchers believe that non-USB infections likely originate from spear-phishing campaigns that deliver an archive with all the necessary files.
USB-borne cyber threats have been a concern for over two decades but have recently gained popularity among APTs and cybercriminal groups. This attack vector allows threat actors to rapidly spread malware and breach heavily secured networks. Organizations should raise awareness among employees about the dangers of using USB drives from unknown sources and establish strict guidelines regarding their use. Seeking secure alternatives, such as cloud storage or encrypted file-sharing platforms, is also recommended. Additionally, keeping security measures up to date and periodically scanning USB drives for infections can help protect corporate networks.
The incident at the European healthcare institution serves as a reminder of the ongoing threat posed by malware spread through infected USB drives. As APT groups continue to innovate and expand their reach, organizations must remain vigilant in their cybersecurity efforts to prevent future attacks.