In the Asia-Pacific (APAC) region, a newly discovered malware has compromised “secure” USB drives, enabling theft of information from government endpoints. Called TetrisPhantom, the malware is believed to have operated covertly for several years.

If USB drives seem old-school, government organizations still frequently use these removable drives in order to securely store and transfer data. In theory, this type of attack could affect government entities nearly anywhere in the world.

How it works

To ensure USB-drive security, USB drives have an encrypted partition, whose files can only be accessed via a password and through specialized software. This allows for the safe transfer of data between systems, including on air-gapped endpoints.

TetrisPhantom relies on sophisticated techniques and procedures, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, and self-replication through connected and secure USB drives.

As a result, the malware can propagate to air-gapped systems and inject code into a legitimate access management program on a USB drive, which functions as a loader for the malware on a new machine.

Additional payloads

TetrisPhantom can deploy additional payloads. Some of these have information-stealing and file-theft capabilities.

And once the systems have been breached, threat actors can introduce other malicious files into ecosystems.

Campaign goals

The goals of the campaign appear centered around extracting sensitive data from APAC region governments. Attacks targeting government agencies have spiked in recent years, with the greatest uptick across the past three years, according to cyber security research.

At present, it’s unclear as to which governments may have been affected by this threat or if nation-state actors were behind the attack.

Nation-state actors often seek intel pertaining to their adversaries’ political maneuvers, spheres of influence, short-range, mid-term and long-term goals.

TetrisPhantom is believed to have been created by highly skilled and uniquely capable threat actors.

APT threats

This disclosure around theft of government data in the APAC region unfolds against the backdrop of another attempt to target government entities…

An advanced persistent threat (APT) actor has been linked to a variety of attacks targeting government organizations, military contractors, universities and hospitals in Russia via spear phishing emails.

In these attacks, the threat actor has initiated a multi-level infection scheme which ultimately allows for file exfiltration and uses arbitrary command execution to gain system control.

Preventing attacks

To prevent targeted attacks like TetrisPhantom (and similar), pursue a proactive cyber security approach.

  • Maintain up-to-date software
  •  Provide relevant education and encourage employee awareness
  • Ensure that your organization has real-time threat intelligence
  • Upskill your teams so that they operate at a more elite level
  • Leverage endpoint detection and response solutions

Increase your cyber security preparedness and resilience. For more insights into the latest threats, please see CyberTalk.org’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.