New TetrisPhantom hackers steal data from secure USB drives on govt systems



Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment.

Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris.exe, which is bundled on an unencrypted part of the USB drive.

Security researchers discovered trojanized versions of the UTetris application deployed on secure USB devices in an attack campaign that has been running for at least a few years and targeting governments in the APAC region.

According to the latest Kaspersky’s report on APT trends, TetrisPhantom uses various tools, commands, and malware components that indicate a sophisticated and well-resourced threat group.

“The attack comprises sophisticated tools and techniques, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, self-replication through connected secure USB drives to propagate to other air-gapped systems and injection of code into a legitimate access management program on the USB drive which acts as a loader for the malware on a new machine.” - Kaspersky

Attack details

Kaspersky shared additional details with BleepingComputer, explaining that the attack with the trojanized Utetris app starts with executing on the target machine a payload called AcroShell.

AcroShell establishes a communication line with the attacker’s command and control (C2) server and can fetch and run additional payloads to steal documents and sensitive files, and collect specific details about the USB drives used by the target.

The threat actors also use the information gathered this way for research and development of another malware called XMKR and the trojanized UTetris.exe.

"The XMKR module is deployed on a Windows machine and is responsible for compromising secure USB drives connected to the system to spread the attack to potentially air-gapped systems" - Kaspersky

XMKR’s capabilities on the device include stealing files for espionage purposes and the data is written on the USB drives.

The information on the compromised USB is then exfiltrated to the attacker's server when the storage device plugs into an internet-connected computer infected with AcroShell.

Kaspersky retrieved and analyzed two malicious Utetris executable variants, one used  between September and October 2022 (version 1.0) and another deployed in government networks from October 2022 until now (version 2.0).

Kaspersky says these attacks have been ongoing for at least a few years now, with espionage being TetrisPhantom's constant focus. The researchers observed a small number of infections on government networks, indicating a targeted operation.

Source: bleepingcomputer.com