Security News > 2024 > January > Hackers push USB malware payloads via news, media hosting sites
A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content.
The attackers hide these payloads in plain sight, placing them in forum user profiles on tech news sites or video descriptions on media hosting platforms.
Ps1, which in turn downloads an intermediary payload that decodes to a URL used to download and install the malware downloader named 'EMPTYSPACE.'.
These intermediary payloads are text strings that decode into a URL to download the next payload: EMPTYSPACE. UNC4990 has tried out several approaches to hosting intermediary payloads, initially using encoded text files on GitHub and GitLab and later switching to abusing Vimeo and Ars Technica for hosting Base64 encoded and AES-encrypted string payloads.
These payloads do not directly threaten the visitors of the abused sites as they are just harmless text strings, and all cases documented by Mandiant have now been removed from the impacted intermediary platforms.
The advantage of hosting the payloads on legitimate and reputable platforms is that they are trusted by security systems, reducing the likelihood of them being flagged as suspicious.
News URL
Related news
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn (source)