Apparently expanding efforts outside of Southeast Asian countries, this threat group’s known malware has shown up in a European healthcare facility, raising concerns for USB-based attacks.
You’d think that literally no one uses USB drives anymore, making them a very improbable attack vector. And yet, the Camaro Dragon APT group has been tracked by security researchers at Check Point for well over a year, with them finding instances of attacks throughout all of last year and into this year.
Their main payload, dubbed “WispRider,” has undergone enhancements during that time, now hosting a number of impressive features, including:
- Backdoor access to the infected endpoint
- Propagation via USB devices using the HopperTick launcher
- DLL side-loading by exploiting security solution components
- Bypassing the SmadAV antivirus (a solution popular in Southeast Asian countries)
- Disguising malware folders as legitimate security vendor file locations
Simply put, Camaro Dragon’s attacks not only establish backdoor access on a compromised endpoint, but also spread itself to newly connected removable drives – putting the use of USB thumb and external drives at risk of becoming an accomplice.
And with these attacks showing up in Europe, it means that this APT group can no longer be considered a geo-specific threat.
We recommend the blocking of access to USB drives whenever possible (and not required for a given role within the organization), and security awareness training to educate users on the dangers of using unknown USB devices.
