Chinese hacking group Camaro Dragon, also known as Mustang Panda, has been found to be using a new malware strain that targets USB drives. Researchers from Check Point Safety discovered the malware, which has already infected devices in countries including Great Britain, India, Myanmar, Russia, and South Korea.
The malware is designed to spread through USB drives that have been compromised. Check Point traced the source of the infection back to a European hospital that was hacked through an employee’s USB drive. The drive had been connected to a colleague’s computer at an Asia-based conference, and upon their return to Europe, the infected USB drive was inserted, spreading the infection to the hospital’s computer systems.
The malware uses two separate components to function. Hoppertick, written on Delphi, is responsible for spreading through USB drives, while Wisprider, the useful load, is responsible for infecting connected USB devices. Wisprider detects malicious USB drives when they are inserted into an infected computer and manipulates files, creating hidden folders. It also establishes a connection with a remote C2 server.
Check Point discovered that some Wisprider options act as backdoors and can bypass Indonesia’s antiviral program “SMADAV.” The malware also uses DLL Sideloading with G-Data Total Security components, and delivers the infosteller module, designed to place files with predetermined extensions, for exploitation.
Developments in Camaro Dragon’s tactics indicate an active attempt to circumvent safety solutions and rely on extensive user tools to steal confidential data from victims. This Chinese hacking group previously used the Horse Shell firmware to turn TP-Link routers into an intermediary infrastructure for communicating with C2 servers.
Check Point researchers also linked Camaro Dragon to the Tinynote program, which is used to gather intelligence and is disguised as an office document, targeting Southeast and East Asian embassies. The group’s habit of changing techniques, tactics, and procedures is a sign of their active efforts to evade detection and stay ahead of security measures.