Security News > 2024 > January > Hackers push USB malware payloads via news, media hosting sites

A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content.
The attackers hide these payloads in plain sight, placing them in forum user profiles on tech news sites or video descriptions on media hosting platforms.
Ps1, which in turn downloads an intermediary payload that decodes to a URL used to download and install the malware downloader named 'EMPTYSPACE.'.
These intermediary payloads are text strings that decode into a URL to download the next payload: EMPTYSPACE. UNC4990 has tried out several approaches to hosting intermediary payloads, initially using encoded text files on GitHub and GitLab and later switching to abusing Vimeo and Ars Technica for hosting Base64 encoded and AES-encrypted string payloads.
These payloads do not directly threaten the visitors of the abused sites as they are just harmless text strings, and all cases documented by Mandiant have now been removed from the impacted intermediary platforms.
The advantage of hosting the payloads on legitimate and reputable platforms is that they are trusted by security systems, reducing the likelihood of them being flagged as suspicious.
News URL
Related news
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign (source)
- North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures (source)
- Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware (source)