Security experts have identified a sophisticated cyber threat named ‘TetrisPhantom’ exploiting compromised secure USB drives to infiltrate government systems in the Asia-Pacific (APAC) region.
Secure USB drives, used for safe data transfer even in isolated environments, encrypt files in a specific section. Users decrypt these files via specialized software and a password. The software UTetris.exe, found on the unencrypted section of the USB, serves this purpose.
However, researchers have unearthed malicious versions of UTetris on secure USBs. This cyber campaign, targeting APAC governments, has been active for several years.
Kaspersky’s latest APT trend report reveals that TetrisPhantom employs a suite of tools and malware, signifying the involvement of a highly capable threat group.
Kaspersky provided further insights detailing that the compromised UTetris application initiates an attack by launching a payload named AcroShell. This payload connects to the attacker’s command server, enabling the retrieval and execution of additional payloads. This mechanism can then pilfer documents, sensitive files, and gather data on the target’s USB usage.
This data aids in refining another malware, XMKR, as well as the tainted UTetris.exe. XMKR’s role involves expropriating files for spying purposes and saving the data on USBs. When these compromised USBs connect to a device with internet access infected by AcroShell, the data transfers to the attacker’s server.
Kaspersky investigated two malicious UTetris versions: one from September to October 2022 and another active in government networks from October 2022 onwards.
Kaspersky emphasizes that these espionage-focused attacks by TetrisPhantom have persisted for years. The limited number of infections on government networks suggests a precision-targeted campaign.