Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Target Air-Gapped Systems With Custom USB Malware

For years, a China-linked threat actor named Cycldek has been exfiltrating data from air-gapped systems using a previously unreported, custom USB malware family, Kaspersky reports.

For years, a China-linked threat actor named Cycldek has been exfiltrating data from air-gapped systems using a previously unreported, custom USB malware family, Kaspersky reports.

Also referred to as Goblin Panda and Conimes, the hacking group has been actively targeting governments in Southeast Asia over the past two years, with its activities separated into two main clusters that are under the supervision of a single entity.

Active since at least 2013, the group is known for its focus on Vietnam, a pattern of activity that has remained unchanged over time. Previously, the threat actor was observed using malware such as PlugX, which was typically leveraged by other Chinese-speaking actors as well, and NewCore RAT.

Over the past two years, the group has remained highly active in Southeast Asia and continued the use of NewCore RAT in attacks, but also switched to other unreported implants and various commodity tools.

Most of the attacks featured a politically themed RTF document served to victims in phishing emails and designed to exploit known Microsoft Office vulnerabilities, including CVE-2012-0158, CVE-2017-11882, and CVE-2018-0802.

The final payload in these attacks is the NewCore RAT, but Kaspersky discovered two variants of the malware being used (referred to as BlueCore and RedCore), which led to the identification of two different clusters of activity.

The variants share similar behavior, run code from DLLs impersonating dependencies of legitimate AV utilities, and leverage similar injected shellcode to run their implants, but also contain clear differences, such as functionality that is present only in RedCore: keylogging, device enumeration, RDP logger, and proxy server.

Both malware versions were used to target diplomatic and government entities, but each was focused on a different geography, Kaspersky believes. The BlueCore operators mainly targeted Vietnam and launched several attacks on Laos and Thailand, while the RedCore operators started with Vietnam but switched focus to Laos by the end of 2018.

“Furthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups,” Kaspersky’s security researchers explain.

One such tool is USBCulprit, a piece of previously unreported malware that was observed being downloaded by RedCore implants and which can scan various paths in victim machines and collect specific documents and pass them on to USB drives that are connected to the system.

“It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually,” Kaspersky says.

USBCulprit, the researchers note, has been in use since 2014, with the most recent samples released at the end of 2019. Since 2017, the malware has had the capability to execute files with a given name from a connected USB, which indicates an ability to extend functionality through modules, the researchers say.

In preparation for its execution, the malware modifies registry keys to hide the extensions of files in Windows and ensure hidden files are not shown to the user, then writes several files to disk. It also scans the disk to collect files for exfiltration, including documents with the extensions *.pdf, *.doc, *.wps, *docx, *ppt, *.xls, *.xlsx, *.pptx and *.rtf.

These files are stored in encrypted RAR archives and then written to removable drives connected to the machine. The malware wakes at specific intervals to check for connected drives and write data to them, if a certain marker is found locally.

The malware is also capable of lateral movement: based on the existence of another marker, it would copy its binary to the same folder on the USB drive where the files for exfiltration are located. Because no mechanism to trigger the malware’s execution upon USB connection was found, the researchers believe it is supposed to be run manually by a human handler.

“The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data,” the researchers note.

In addition to USBCulprit, both BlueCore and RedCore fetched other tools for lateral movement or information stealing, including BrowserHistoryView, ProcDump, Nbtscan, and PsExec. Other tools were either developed fully by the attackers or customized for specific attack scenarios: custom HDoor (full-featured backdoor capabilities), JsonCookies (steals cookies from the SQLite databases of Chromium-based browsers), and ChromePass (steals saved passwords from Chromium-based browser databases).

“Cycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia,” Kaspersky concludes.

Related: Chinese Hackers Target Air-Gapped Military Networks

Related: Chinese Hackers Targeted International Aerospace Firms for Years

Related: China-linked Hackers Targeting Air-Gapped Systems: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...