Security News > 2024 > February > Threat actor used Vimeo, Ars Technica to serve second-stage malware

A financially motivated threat actor tracked as UNC4990 is using booby-trapped USB storage devices and malicious payloads hosted on popular websites such as Ars Technica, Vimeo, GitHub and GitLab to surreptitiously deliver malware.

Another interesting detail about UNC4990 it's mostly targeting organizations located in Italy and is likely based in that country, as well.

"Based on the extensive use of Italian infrastructure throughout UNC4990 operations, including using Italian blogging platforms for C2, we believe this actor to be operating out of Italy," Mandiant researchers noted.

The researchers didn't say how UNC4990 delivers malware-laden removable USB storage devices to victims, but noted that the malicious LNK shortcut file contained in it is highly "Clickable": it's named based on the vendor of the USB device and storage size - e.g., Kingston - and uses the Microsoft Windows default icon for drives.

Both the Vimeo video and the image on Ars Technica have since been removed.

Ars Technica said its staff removed the image on December 16 "After being tipped off by email from an unknown party."

News URL

https://www.helpnetsecurity.com/2024/02/01/vimeo-ars-technica-malware/