Malware intended to spread on USB drives is unintentionally infecting networked storage devices, according to infosec vendor Checkpoint.

The malware comes from a group called Camaro Dragon that Checkpoint’s researchers on Thursday suggested conduct campaigns similar to those run by China’s Mustang Panda and LuminousMoth attack gangs.

Checkpoint rates Camaro Dragon as most interested in Asian targets, as its code includes features designed to hide it from SmadAV, an antivirus solution popular in the region.

Yet the firm first spotted the gang’s activities in Europe!

“Patient Zero in the malware infection was identified as an employee who had participated in a conference in Asia,” Checkpoint’s researchers wrote. “He shared his presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had an infected computer, so his own USB drive unknowingly became infected as a result.

“Upon returning to his home hospital in Europe, the employee introduced the infected USB drive to the hospital’s computer systems, which led the infection to spread.”

Checkpoint believes the infection chain starts when a victim launches a malicious Delphi launcher on the infected USB flash drive. Doing so triggers a backdoor that loads malware onto other drives as they connect to the infected machine.

That’s nasty, but also containable with various techniques that constrain USB devices.

The malware poses greater risks to enterprise IT because infected machines install the malware on any newly-connected network drives, but not on drives connected to a machine at the moment of infection.

Checkpoint thinks the spread to newly connected network drives is unintentional.

“Although network drives infected this way theoretically might be used as a means of lateral movement inside the same network, this behavior appears to be more of a flaw than an intentional feature,” the firm’s researchers wrote. “Manipulating numerous files and replacing them with an executable with a USB thumb drive icon on network drives is a conspicuous activity that can draw additional, unfavorable attention.”

And we all know that cybercrime gangs try to keep a low profile for as long as possible so their evil code can do its job.

And if this code gets to run, it installs a backdoor and tries to exfiltrate data, making that accidental infection of networked storage rather serious as in many orgs that’s where the good stuff is stored.

Another nasty feature of this malware is that it “also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies (Electronic Arts and Riot Games).” Checkpoint has informed the games devs of their unwitting role in Camaro Dragon’s plans.

Checkpoint wrote that it’s seen the USB-carried code in Myanmar, South Korea, Great Britain, India and Russia.

“The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns,” the firm advises. ®

https://www.theregister.com//2023/06/23/camaro_dragon_usb_malware_spreads/