A rampart new malware strain exploiting USB drives is quickly spreading across the globe, experts have warned.
Cybersecurity firm Check Point published a report outlining how a Chinese state-sponsored group called as Camaro Dragon (also known as Mustang Panda and LuminousMoth) is spreading the malware on a wide scale via infected USB drivers.
WispRider is the name of the main variant being used, which has undergone numerous iterations. It uses the HopperTrick launcher to propagate via USB, and also has a feature to bypass SmadAV, a popular antivirus solution in Southeast Asia.
This region is where the malware began operating, but it then self-propagated through USB drives to other regions of the world. In early 2023, the Check Point Incident Response Team (CPIRT) team found the malware had reached a European healthcare institution.
WispRider is also capable of DLL sideloading, using components belonging to security software, such as G-DATA Total Security, and those belonging to Electronic Arts and Riot Games, two giants in the gaming world. Check Point notified the above companies that attackers had used their respective software.
Check Point says, “The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns.”
It claims to have found USB malware infections in other countries around the world, including Myanmar, South Korea, Great Britain, India and Russia.
Check Point also notes that WispRider aligns with other tools used by Camaro Dragon recently, such as a backdoor called TinyNote and a router firmware implant called HorseShell. “All of them share infrastructure and operational goals,” claims Check Point.
Since the case witnessed at the European hospital, the malware has been upgraded. Now it has a more unified structure, whereby the USB infector, evasions module and backdoor are combined into one payload, as opposed to a separate set of legitimate executables and side-loaded DLLs.
The coding of the malware components has also been revamped, with newer versions of all components now written in C++, whereas the USB launcher was written in Delphi.