TetrisPhantom, a new sophisticated threat used by cybercriminals, has recently emerged after new samples targeted secure USB drives within Asian-Pacific government systems.
Based on reports, the targeted entities commonly use these secure USB drives to safely transfer data between systems, including air-gapped environments, as they store files in an encrypted section of the device.
The attackers accessed the protected partition using custom software that decrypts the contents with a user-provided password. These actors used software called UTetris.exe, which they attached to an unencrypted portion of the USB drive.
The TetrisPhantom operators have exploited the compromised versions of the UTetris app.
The TetrisPhantom campaign has leveraged the compromised versions of the UTetris application on secure USB devices as part of a multi-year attack campaign aimed at governments in the APAC region.
Moreover, the campaign operators employed various tools, commands, and malware components, indicating a highly advanced and well-funded operation.
This cybercriminal campaign starts with the execution of a payload called AcroShell on the target machine. Next, AcroShell establishes a communication link with the attacker’s C2 server to retrieve and run additional payloads. The campaign operators use these payloads to steal documents and sensitive files and harvest information about the USB drives used by the target.
The information gathered in this manner serves multiple purposes, such as the development of another malware called XMKR and the trojanized UTetris.exe. The XMKR could compromise devices by stealing files for espionage purposes, and the tactic will transfer the files by coding them onto the compromised USB drives.
Finally, the threat actors will exfiltrate the compromised data on the USB drives to their server once they connect the storage device to an internet-linked computer infected with AcroShell. This method will complete the attack cycle, allowing the attackers to rob the harvested information.
The latest research uncovered two malicious UTetris executable variants. The first one initially appeared in September 2022, and the other one has operated in government networks since October 2022 until this day.
These attacks have continued for at least several years and focus on espionage. Lastly, the attackers only limited their attacks to government networks, indicating a highly targeted operation. Government organisations, especially in the Asia-Pacific region, should watch out for this campaign as the threat actors would likely continue their cyber espionage operations.
