Suspected Chinese cyberespionage operation UNC4191 has been leveraging USB devices in an effort to compromise targets in Southeast Asia, reports The Record, a news site by cybersecurity firm Recorded Future.
Several public and private sector organizations in Southeast Asia, as well as Asia Pacific Japan, Europe, and the U.S., have been targeted by UNC4191 since September 2021, according to a Mandiant report, which showed that all systems impacted by the operation were physically located in the Philippines.
Legitimately signed binaries have been used by attackers to facilitate malware side-loading following initial compromise, said researchers. Malware families used by UNC4191 include DARKDEW, MISTCLOAK, and BLUEHAZE, which offer a reverse shell to allow backdoor access followed by self-replication that enables malware distribution to air-gapped systems.
Such a campaign "showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to Chinas political and commercial interests," researchers added.