Getting information from computers remotely without connecting anything is something that has been going on for years. Researchers in Israel have managed to obtain information remotely in various investigations, and now malware uses a technique similar to theirs to steal information from a computer through its USB port.
The malware, known as CCycldek (also known as Goblin Panda or Conimes), has added new functionality as Kaspersky has discovered in attacks carried out in Vietnam, Thailand and Laos. This malware was first discovered in 2013, attacking military, energy and government infrastructures in Southeast Asian countries; especially Vietnam. Modified documents that exploit known Office vulnerabilities such as CVE-2012-0158, CVE-2017-11882 or CVE-2018-0802 are used to infect computers, introducing the NewCore RAT malware.
Malware designed to attack computers without the Internet
This malware is divided into two variants called BlueCore and RedCore , with similarities at the code and structure level, but each with specific functions. For example, RedCore contains a keylogger and an RDP logger to capture information about users connected by RPD.
After infection, they both downloaded various additional tools to facilitate “lateral movements” and introduce more malware. Among them we find the use of HDoor, popular in Chinese hacking forums to scan internal networks and create tunnels in hacked computers to avoid network detections and skip proxies. Thanks to this, they can extract information from the isolated computer if it is accessible from a local network but is not directly connected to the Internet.
Other tools present to extract information are JsonCookies and ChromePass, used to steal cookies from SQLite databases for the former, and to steal passwords saved in the browser in the case of the latter. In addition, among those additional tools is USBCulprit, capable of scanning various computer paths looking for PDF, DOC, WPS, DOCX, PPT, XLS, XLSX, PPTX and RTF files and exporting them to a USB drive connected to the computer.
Copy all the information to a USB
In addition, the malware is programmed to copy itself to different USB drives to be copied to other computers every time a USB drive is inserted, since these computers usually use memories to work or introduce new files because they are isolated from the rest of the Internet for security reasons.
The information that the malware copies to the USB drive is encrypted in a .RAR file that the attacker can then decompress. To infect the computer, it takes advantage of malicious binaries that mimic non-malicious components of antivirus software . Thus, this malware is specifically designed to obtain files from computers that do not have an Internet connection, used for example by governments.