Kaspersky Lab: TetrisPhantom targets government entities in APAC
Kaspersky Lab security researchers have unveiled a novel campaign titled TetrisPhantom, wherein secure USB drives are exploited to target governmental systems of the Asia-Pacific region.
Such secure USB drives store files in encrypted segments and are employed for the safe transmission of data between systems, including in isolated environments. Access to this encrypted section is facilitated by specialized software, decrypting content based on a user-provided password. One such software is UTetris.exe, located in the unencrypted portion of the USB drive.
Experts discovered Trojan-infested versions of UTetris deployed on these secure USB devices during the campaign, which spanned several years and was primarily aimed at governments of the Asia-Pacific. TetrisPhantom deploys an array of tools, commands, and malware components, indicative of a sophisticated and well-funded group.
According to the researchers, the attack encompasses intricate tools and techniques, including:
- Malware component obfuscation based on virtualization;
- Low-level interaction with the USB drive using direct SCSI commands;
- Self-replication across connected secure USB drives to infiltrate other isolated systems;
- Injection into the legitimate USB access management program, which acts as the malware loader on a new machine.
Kaspersky Lab also shed light on the specifics of the attack using the compromised UTetris application, which begins by executing a payload named AcroShell on the target machine. This payload establishes communication with a Command and Control (C2) server, capable of receiving and executing additional payloads to steal documents and confidential files, and also collects data about the USB drives in use.
The adversaries utilize this gathered data to research and devise other malicious software, dubbed XMKR, and the Trojan UTetris.exe. The XMKR module is deployed on a Windows OS computer and is responsible for infecting the secure USB drives connected to the system, aiming to spread the attack to potentially isolated networks.
XMKR’s capabilities on the device encompass espionage-related file theft and data writing to USB drives. Information about the compromised USB drive then reaches the C2 server when the data storage device connects to an internet-connected computer compromised by AcroShell.
Experts have verified that these attacks have persisted for several years, with the primary objective of TetrisPhantom being espionage. The researchers highlight a limited number of infected government networks, suggesting a highly targeted operation.
