Threat actor used Vimeo, Ars Technica to serve second-stage malware

A financially motivated threat actor tracked as UNC4990 is using booby-trapped USB storage devices and malicious payloads hosted on popular websites such as Ars Technica, Vimeo, GitHub and GitLab to surreptitiously deliver malware.

Another interesting detail about UNC4990 it’s mostly targeting organizations located in Italy (particularly within the health, transportation, construction, and logistics sectors) and is likely based in that country, as well.

“Based on the extensive use of Italian infrastructure throughout UNC4990 operations, including using Italian blogging platforms for C2, we believe this actor to be operating out of Italy,” Mandiant researchers noted.

Delivering malware via USB drives

The researchers didn’t say how UNC4990 delivers malware-laden removable USB storage devices to victims, but noted that the malicious LNK shortcut file contained in it is highly “clickable”: it’s named based on the vendor of the USB device and storage size – e.g., Kingston (32GB) – and uses the Microsoft Windows default icon for drives.

Once the victim double-clicks the LNK file, a PowerShell script named explorer.ps1 is executed, and it fetches:

• A text file hosted on GitHub or GitLab, and
• A JSON payload from Vimeo (inserted into the description of a Pink Floyd-related video) or Ars Technica’s news forum (the payload was appended to the URL of a profile image contained in the About section of a registered user)

The payload in the Vimeo video description (Source: Mandiant)

The two elements are combined to extract the URL where the final payload is located, and to download and execute it.

That payload (EMPTYSPACE) is a dropper that connects to a command and control (C2) server and downloads additional payloads when told to do so.

Among those is a backdoor named QUIETBOARD, “capable of arbitrary command execution, clipboard content manipulation for crypto currency theft, USB/removable drive infection, screenshotting, system information gathering, and communication with the C2 server,” as well “the capability of modular expansion and running independent Python based code/modules.”

Atypical use of legitimate sites and services

“The legitimate services abused by UNC4990 (…) didn’t involve exploiting any known or unknown vulnerabilities in these sites, nor did any of these organizations have anything misconfigured to allow for this abuse,” the researchers said.

“Additionally, the content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign. Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised.”

Both the Vimeo video and the image on Ars Technica have since been removed. Ars Technica said its staff removed the image on December 16 “after being tipped off by email from an unknown party.”