Check Point researchers traced Camaro Dragon, a Chinese-based espionage actor, deploying self-propagating USB malware (WispRider/HopperTick) that could spread globally from Southeast Asia, with DLL-side loading and antivirus evasion. The operation combines USB infection, DLL side-loading against legitimate software, and C2 communications to maintain persistence and exfiltrate data; a revised toolset shows modular consolidation and additional evasion tech. Hashtags: #CamaroDragon #MustangPanda #LuminousMoth #WispRider #HopperTick #TinyNote #HorseShell #GDATA #ElectronicArts #RiotGames #SmadAV
Keypoints
- Camaro Dragon is a Chinese-based APT with overlaps to Mustang Panda and LuminousMoth, targeting Southeast Asia and related entities.
- The infection vector is infected USB drives that self-propagate, enabling infections to spread beyond the actors’ primary targets.
- WispRider is the main payload, with HopperTick as the USB launcher and evasion modules (e.g., SmadAV bypass and DLL-side loading) to evade defenses.
- The campaign includes DLL-side-loading using legitimate software components from vendors like GDATA, Electronic Arts, and Riot Games.
- Updated toolsets consolidate USB infector, evasion module, and backdoor into a single payload, and have been observed worldwide (Myanmar to Russia).
- C2 communications are handled over raw sockets with XOR encryption, including domain-based IP resolution and limited backdoor commands.
MITRE Techniques
- [T1091] Replication Through Removable Media – Self-propagation via infected USB drives spreading to other networks. [‘The malware… propagate through USB using the HopperTick launcher.’]
- [T1574.002] DLL Side-loading – Side-loading of malicious DLLs by legitimate executables (e.g., Symantec, G-DATA Total Security, RiotClientUx.exe, EACoreServer.exe). [‘…side-loads the malicious LDVPOCX.OCX…’]
- [T1562.001] Impair Defenses: Disable Security Tools – Bypasses SmadAV antivirus in Southeast Asia. [‘Bypass for SmadAV, an anti-virus solution popular in Southeast Asia.’]
- [T1053.005] Scheduled Task – Persistence via scheduled task pointing to a legitimate executable with arguments. [‘…added scheduled task pointing to the executable with the relevant argument.’]
- [T1547.001] Boot or Logon Autostart: Registry Run Keys – Persistence via Run registry key for the backdoor/executable. [‘…Run key…’]
- [T1204.002] User Execution: Malicious File – Social engineering: user opens the USB launcher to reveal and execute payload. [‘The scheme fully relies on social engineering; the victims can no longer see their files on the drive and are left only with the executable…’]
- [T1112] Modify Registry – Evasion module alters registry keys related to file visibility. [‘…changing the registry keys under SOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced…’]
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis techniques such as recursive process creation to thwart sandboxing. [‘The malware uses a recursive process tree before continuing…’]
- [T1027] Obfuscated/Compressed Files and Information – XOR encryption of config data and shellcode; config is decrypted and re-encrypted. [‘decrypts the shellcode embedded inside, generates a random key, encrypts the shellcode…’]
- [T1071.004] Non-Web Protocol – C2 communications over raw sockets with XOR-encrypted traffic and domain-based IP resolution. [‘Communication with the C&C server occurs through raw sockets…encrypted using XOR…’]
Indicators of Compromise
- [File Hash] – EACore.dll – aeacc2d47a88eb68d503f9e30b189641572eb35423df931845f90a4c447ed1be, libcef.dll – fc598a686a5a77436684cbd0f72f39033cb70a41d4dbcf5dbab47a7c2522fdda, avkkid.dll – 68eb5590d8ad952215cf54741b0ed6204c19bba4dcb8d704883e007f16de5028, and 2 more hashes
- [File Name] – RiotClient.dat, LDVPOCX.OCX
- [File Path] – C:ProgramDataSymantecSEndponitData, C:ProgramDataVivaldiApplication
- [Domain] – www.beautyporntube.com (used for C2 resolution in the C2 setup).
- [IP Address] – 127.0.0.1 (local IP replaced via domain lookup during C2 setup).