Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and assesses it as a China nexus.
UNC4191 operations have affected a range of public and private sector entities, primarily in Southeast Asia and extending to the U.S., Europe, and APJ. However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.
Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families: Mistcloak, Darkdew, and Bluehaze.
Successful compromise led to deploying a renamed NCAT binary and execution of a reverse shell on the victim's system, providing backdoor access to the threat actor. The malware self-replicates by infecting new removable drives plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.
Mandiant Managed Defense performs continuous threat hunting for customers, discovering evidence of new tactics, techniques, and procedures (TTPs) that can evade traditional detection mechanisms.
In response to this campaign, Mandiant deployed new real-time detections, enhancing Managed Defense’s protection for its customers from future similar activity. Additionally, the company's adversary operations team created and deployed YARA rules and Mandiant Security Validation Actions.
Each Mandiant threat hunting discovery is evaluated for opportunities to create new real-time detections. These detections help Mandiant identify additional activity across our customers’ environments for rapid escalation and triage analysis and aim to reduce threat actor dwell time.
Following the initial campaign discovery, Mandiant immediately searched the entire Managed Defense customer base for any activity that matched its atomic indicators of interest, including filenames, file paths, file hashes, IP addresses, domains, and other artifacts. This uncovered activity on systems at multiple customers.
Additionally, Mandiant also created or updated real-time Managed Defense detections to identify threat actor methodologies, such as Deployment or usage of NETCAT and NCAT reverse shells; modification of registry Run keys for malware persistence, with arguments configured to execute the Windows binary rundll32.exe; processes launched from the C:\Users\Public\Libraries\ directory.
The company can rapidly identify and provide context around malicious activity by combining Mandiant's threat intelligence service with Managed Defense's detection engineering and threat-hunting capabilities.
Mandiant will continue to monitor UNC4191's campaign and provide notable and dynamic updates regarding changes in tactics and techniques, the introduction of tools with new capabilities, or the use of new infrastructure to carry out its mission.
“Based on available data, such as PE compile timestamps for the malware involved in the aforementioned activity, this campaign potentially extends back to September 2021. Given the worming nature of the malware involved, we may have detected the later stages of this malware’s proliferation,” says Mandiant.
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.”