New malware can steal data from a PC even if it has no internet connection

in informatic •  4 years ago  (edited)

first of all, I would like to apologize for my English, it's not very good but I wanted to share the information with you.
Getting information from remote computers without connecting anything is something that has been done for years. Researchers in Israel have managed to obtain information remotely in several investigations, and now a malware uses a technique similar to theirs to steal information from a computer through its USB port.

The malware, known as CCycldek (also known as Goblin Panda or Conimes), has added new functionality as discovered by Kaspersky in attacks in Vietnam, Thailand, and Laos. This malware was first discovered in 2013, attacking military, energy, and government infrastructures in Southeast Asian countries, especially Vietnam. To infect computers, modified documents are used that exploit known Office vulnerabilities such as CVE-2012-0158, CVE-2017-11882, or CVE-2018-0802, introducing NewCore RAT malware.

This malware is divided into two variants called BlueCore and RedCore, with similarities at the level of code and structure, but each with specific functions. For example, RedCore contains a keylogger and an RDP logger to capture information about users connected by RPD.

After the infection, both downloaded several additional tools to facilitate "lateral moves" and introduce more malware. Among them was the use of HDoor, popular on Chinese hacking forums to scan internal networks and tunnel into hacked computers to avoid network detections and bypassing proxies. This allows them to extract information from the isolated computer if it is accessible from a local network but not connected directly to the Internet.

Other tools present to extract information are JsonCookies and ChromePass used to steal cookies from SQLite databases for the former, and to steal passwords stored in the browser in the case of the latter. Also, among these additional tools is USBCulprit, capable of scanning various paths on the computer looking for PDF, DOC, WPS, DOCX, PPT, XLS, XLSX, PPTX and RTF files and exporting them to a USB drive connected to the computer.

Also, the malware is programmed to copy itself to different USB drives to be copied to other computers each time a USB drive is inserted since these computers are often used to insert memories to work or to insert new files because they are isolated from the rest of the Internet for security reasons.

3d576366b9a73cbb222e66cfda2de088.jpg

The information that the malware copies to the USB drive is encrypted into a .RAR file that the attacker can then decompress. To infect the computer, it takes advantage of malicious binaries that mimic non-malicious components of antivirus software. Thus, this malware is specifically designed to obtain files from computers that do not have an Internet connection, used for example by governments.

Kaspersky claims that they expect attacks with this malware to continue, as the malware adds more and more functionality and adapts to skip detection by antivirus.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

W0w!!!!!!!!!!!! Absolutely nuts! I remember someone once telling me if we not connected, we Good!! Times are changing :(
Good feed!