Mandiant research uncovers new malware tactics targeting USB drives

Mandiant has published new research on a China-based threat group using three new malware families to target the Philippines and greater Southeast Asia region, which have been a focus for Chinese espionage for many years.

See the full report here: https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia

Mandiant discovered an espionage campaign of a China-based threat group dating back to April 2022. This group, which Mandiant tracks as UNC4191, uses three types of malware families that continue replicating by infecting new removable USB drives that are plugged into a compromised system. This allows the malware to spread to additional systems and potentially collect data from air-gapped systems (i.e. systems not connected to the internet).

Mandiant’s experts believe UNC4191 operates “to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests.”

Specifically, Mandiant’s observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.

For example, even when targeted organisations were based in other locations, Mandiant highlights that the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.

According to Mandiant’s researchers, “China’s regional geopolitical and economic objectives and maritime territorial sovereignty are likely drivers for activity against this region.”