This article is more than 1 year old

Chinese malware intended to infect USB drives accidentally infects networked storage too

Hides itself from popular Asian AV, also uses games to do its dirty work

Malware intended to spread on USB drives is unintentionally infecting networked storage devices, according to infosec vendor Checkpoint.

The software nasty comes from a group called Camaro Dragon that Checkpoint's researchers on Thursday suggested conduct campaigns similar to those run by China's Mustang Panda and LuminousMoth attack gangs.

Checkpoint regards Camaro Dragon as most interested in Asian targets – its code includes features designed to hide it from SmadAV, an antivirus solution popular in the region.

Even so, the firm first spotted the gang's activities in Europe!

"Patient Zero in the malware infection was identified as an employee who had participated in a conference in Asia," Checkpoint's researchers wrote. "He shared his presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had an infected computer, so his own USB drive unknowingly became infected as a result.

"Upon returning to his home hospital in Europe, the employee introduced the infected USB drive to the hospital's computer systems, which led the infection to spread."

Checkpoint believes the infection chain starts when a victim launches a malicious Delphi launcher on the infected USB flash drive. Doing so triggers a backdoor that loads malware onto other drives as they connect to the infected machine.

That's nasty, but also containable with various techniques that constrain USB devices.

The malware poses greater risks to enterprise IT, because infected machines install the malware on any newly connected network drives, but not on drives already connected to a machine at the moment of infection.

Checkpoint believes that the spread to newly connected network drives is unintentional.

Taipei, Taiwan

Meet TeamT5, the Taiwanese infosec outfit taking on Beijing and defeating its smears


"Although network drives infected this way theoretically might be used as a means of lateral movement inside the same network, this behavior appears to be more of a flaw than an intentional feature," the researchers wrote. "Manipulating numerous files and replacing them with an executable with a USB thumb drive icon on network drives is a conspicuous activity that can draw additional, unfavorable attention."

And we all know that cyber crime gangs try to keep a low profile for as long as possible so their evil code can do its evil job.

If this code gets to run, it installs a backdoor and tries to exfiltrate data. That makes the apparently accidental infection of networked storage rather serious – in many orgs that's where the good stuff is stored.

Another nasty feature of this malware is that it "also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies (Electronic Arts and Riot Games)." Checkpoint has informed the games devs of their unwitting role in Camaro Dragon's plans.

Checkpoint wrote that it's seen the USB-carried code in Myanmar, South Korea, Great Britain, India and Russia.

"The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns," the firm advises. ®

More about


Send us news

Other stories you might like