Keypoints
- Initial access is achieved by a malicious LNK on removable USB drives that launches a PowerShell script (explorer.ps1) when double-clicked.
- explorer.ps1 evolved from simple download logic to a multi-stage decoder: an obfuscated src.txt binary-to-text decoder and later AES-256-CBC + Base64 decryption of payloads hosted on services like Vimeo and Ars Technica.
- EMPTYSPACE (a.k.a. Runtime Broker) is a downloader with Node.js, .NET, and Python variants that fetch tasks from C2 servers and execute retrieved payloads; it verifies USB infection via a Hangul Filler directory artifact.
- QUIETBOARD is a modular Python backdoor whose coronausb module infects removable drives (creates hidden folder + deceptive LNK), while cboard hijacks clipboard contents to replace crypto addresses for theft.
- The campaign uses benign third-party hosting (GitHub, GitLab, Vimeo, Ars Technica) to store encoded payloads and shifts URLs/hosts as takedowns occur.
- Mandiant attributes the operations to UNC4990 targeting primarily Italian entities, with forensic IOCs including specific filenames, SHA-256 hashes, and multiple updater/C2 URLs.
MITRE Techniques
- [T1204] User Execution – UNC4990 tricks users into executing a malicious shortcut on USB drives (‘the infection began with the victim double-clicking a malicious LNK shortcut file on a removable USB device.’)
- [T1059.001] PowerShell – The LNK launches PowerShell to run explorer.ps1 with hidden execution parameters (‘powershell.exe -windowstyle hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1’)
- [T1071] Application Layer Protocol – PowerShell and payloads perform HTTP(S) communications to third-party hosts and C2 endpoints (‘PowerShell connections to vimeo[.]com and arstechnica[.]com’)
- [T1036.005] Masquerading – Malware uses deceptive file and icon naming (e.g., Runtime Broker.exe, drive-icon LNKs) to appear legitimate (‘Runtime Broker.exe binary file writes with whitespaces within the binary name or before the file extension’)
Indicators of Compromise
- [File Hash] explorer.ps1 samples – 6fb4945bb73ac3f447fb7af6bd2937395a067a6e…, 72f1ba6309c98cd52ffc99dd15c45698dfca2d6c… (and multiple other SHA-256s)
- [File Name/Path] Downloader and scripts – Runtime Broker.exe (e.g., %TEMP%Runtime Broker.exe), explorer.ps1
- [URLs/Domains] C2 and updater endpoints – hxxps://bobsmith.apiworld[.]cf/license.php, hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1 (and multiple altervista/.tk/.io hosts)
- [Wallet Address] Cryptocurrency targets used for clipboard replacement – bc1qk55vk7wjgzg3pmxlh59rv5dlgewd9jem5nrt4w (Bitcoin), 0xeA1b0564456cdA8fE1D17306D7D5a59Ca1fC83E6 (Ethereum)
Infection begins when victims open a crafted LNK on a removable drive; the shortcut is configured to use the Windows drive icon and execute PowerShell (powershell.exe -windowstyle hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1). Explorer.ps1 is an encoded PowerShell loader that was iteratively enhanced: early versions fetched an obfuscated text resource and applied a custom decoder (mapping tabs/spaces/newlines into binary strings, converting binary substrings into characters) to reconstruct final URLs; later versions fetch a JSON blob from public sites (Vimeo/Ars Technica) where an attacker-inserted delimiter encloses a Base64 payload that is decrypted with a hard-coded AES-256-CBC key. The script also checks for a Hangul Filler (U+3164)–named directory to confirm removable-drive context and writes a per-infection UUID to from_machine_uuid.dat, appending &user= to the EMPTYSPACE updater URL before downloading.
EMPTYSPACE (Runtime Broker) acts as the downloader/agent and exists in Node.js, .NET and Python forms. The Node.js “Runtime Broker.exe” (nexe bundle) contains an embedded drivelist module used to enumerate drives and detect the Hangul Filler path; it performs privilege checks (net session), installs persistence (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunNode_Run), and posts a Base64-encoded beacon (identified as CINSTALLER1) to C2 (e.g., bobsmith.apiworld.cf/license.php). The .NET variant constructs and Base64-encodes a JSON status object (prefixed with “AA” and suffixed with “==”) and polls C2 for task objects containing URLs, paths and commands, retrying downloads until successful. The Python bootstrap variant (bootstrap.pyc) performs connectivity checks (google.com/generate_204), cycles through multiple updater URLs, sends the same AA…== encoded data format, Base64-decodes responses, unserializes with marshal.loads and executes the returned code, allowing flexible tasking.
QUIETBOARD is the multi-component Python backdoor framework delivering modular capabilities. The start module orchestrates components; coronausb infects removable media by creating a hidden folder whose name uses the Hangul Filler character, moves user data into it, and drops a deceptive explorer.ps1-linked LNK to propagate; cboard continuously monitors and replaces detected cryptocurrency addresses in clipboard contents with attacker-controlled wallets; info/runservice/connection/executer provide comprehensive host profiling (WMI queries, Wi‑Fi SSIDs, geolocation lookup), AES-CBC encryption of collected JSON (runservice key: 4lZYQ/POapYTZka0gVM/rg==), and a fetch‑and‑execute loop for remote Python modules or arbitrary code. Together these components support persistence, remote tasking, data theft (including clipboard-based crypto theft), and optional secondary payloads (e.g., coinminer), illustrating a modular, evolving toolset tailored to USB-driven initial access.
Read more: https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware