Article Details
Scrape Timestamp (UTC): 2023-10-22 15:21:40.734
Original Article Text
Click to Toggle View
New TetrisPhantom hackers steal data from secure USB drives on govt systems. A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris.exe, which is bundled on an unencrypted part of the USB drive. Security researchers discovered trojanized versions of the UTetris application deployed on secure USB devices in an attack campaign that has been running for at least a few years and targeting governments in the APAC region. According to the latest Kaspersky’s report on APT trends, TetrisPhantom uses various tools, commands, and malware components that indicate a sophisticated and well-resourced threat group. Attack details Kaspersky shared additional details with BleepingComputer, explaining that the attack with the trojanized Utetris app starts with executing on the target machine a payload called AcroShell. AcroShell establishes a communication line with the attacker’s command and control (C2) server and can fetch and run additional payloads to steal documents and sensitive files, and collect specific details about the USB drives used by the target. The threat actors also use the information gathered this way for research and development of another malware called XMKR and the trojanized UTetris.exe. "The XMKR module is deployed on a Windows machine and is responsible for compromising secure USB drives connected to the system to spread the attack to potentially air-gapped systems" - Kaspersky XMKR’s capabilities on the device include stealing files for espionage purposes and the data is written on the USB drives. The information on the compromised USB is then exfiltrated to the attacker's server when the storage device plugs into an internet-connected computer infected with AcroShell. Kaspersky retrieved and analyzed two malicious Utetris executable variants, one used between September and October 2022 (version 1.0) and another deployed in government networks from October 2022 until now (version 2.0). Kaspersky says these attacks have been ongoing for at least a few years now, with espionage being TetrisPhantom's constant focus. The researchers observed a small number of infections on government networks, indicating a targeted operation.
Daily Brief Summary
A sophisticated threat, TetrisPhantom, has been compromising secure USB drives with trojanized versions of the UTetris application to target government systems in the Asia-Pacific region.
TetrisPhantom uses a range of tools, commands, and malware components, demonstrating the scale and resources of the threat group behind it.
The attack starts with the execution of a payload named AcroShell on the targeted system, which establishes communication with the attacker’s command and control (C2) server.
Armed with the ability to fetch and execute additional payloads, AcroShell can steal documents and sensitive files, as well as collect specific information about the targeted USB drives.
The gathered data is useful for further infection as well as for the research and development of another malware called XMKR, which stays on the secure USB drives and is responsible for extensive data collection for espionage purposes.
The compromised data is exfiltrated to the attacker's server when the infected USB drives are plugged into internet-connected computers.
Kaspersky reports that these attacks have been ongoing for a few years and primarily focus on espionage, with a small number of infections suggesting a targeted operation.