New Malware Threat Targets Air-Gapped Systems in Southeast Asia
Recent research from Kaspersky has unveiled that a sophisticated Chinese threat actor, identified as Cycldek, has enhanced its capabilities to attack air-gapped systems with the intent of exfiltrating sensitive information for espionage purposes. Cycldek, also known as Goblin Panda or Conimes, employs a diverse toolkit to facilitate lateral movement and data theft within compromised networks, focusing on government sectors in Vietnam, Thailand, and Laos.
One notable tool introduced in these attacks is called USBCulprit. This malware relies on USB drives to extract victim data, indicating Cycldek’s strategy to reach isolated networks or necessitating physical access for data extraction. This tactic raises serious concerns about the security of air-gapped systems, which are typically considered safe from standard network-based attacks.
First detected by CrowdStrike in 2013, Cycldek has a history of targeting critical sectors, particularly in Southeast Asia. The group often uses decoy documents to exploit known vulnerabilities in Microsoft Office applications, such as those indexed under CVE-2012-0158, CVE-2017-11882, and CVE-2018-0802, to deploy a malware variant known as NewCore RAT. This long-standing focus on areas like defense and energy highlights the persistent threat Cycldek poses to national security in the region.
Kaspersky’s findings also reveal distinct variants of NewCore, named BlueCore and RedCore, which are linked to differing geographic focuses. The BlueCore variant primarily targets Vietnamese institutions, while RedCore has recently shifted its focus toward Laos. Both variants share similarities in code and structure but contain unique features, such as a keylogger embedded in RedCore, which captures information about users connected via Remote Desktop Protocol (RDP).
The researchers explain that USBCulprit is particularly effective in identifying specific document types—PDFs, Word documents, and relevant spreadsheets—to export to connected USB drives. Moreover, this malware can replicate itself on removable drives, enabling it to infect other air-gapped systems whenever an infected drive is inserted into another machine. Kaspersky has traced the initial binary of USBCulprit back to 2014, with recent samples surfacing late last year, indicating the actor’s long-term presence.
Another critical tactic employed by Cycldek is DLL search order hijacking, utilizing malicious binaries that mimic legitimate antivirus components to execute USBCulprit. This initial infection mechanism allows Cycldek to collect data, encrypt it into a RAR archive, and transfer it to removable media. The use of such methods underscores the attackers’ focus on clandestine data retrieval without initiating network communications, a hallmark of operations aimed at air-gapped environments.
Kaspersky’s analysis has revealed that these cyber-operations are not merely standalone incidents; rather, they illustrate a broader landscape of shared code and infrastructure among the malicious actors. This observation suggests that the Cycldek group possesses capabilities that transcend the public’s perception, operating with an advanced arsenal that firmly establishes them inside the networks of high-profile targets in Southeast Asia.
Eventually, the evidence presented indicates a comprehensive understanding of the MITRE ATT&CK framework, particularly in tactics like Initial Access, Persistence, and Privilege Escalation, which may have facilitated these successful intrusions. The implications of these findings should serve as a wake-up call to organizations, particularly those in vulnerable sectors, to reassess their cybersecurity measures against such advanced threats.
As cyber threats evolve, vigilance is paramount. Business owners must remain cognizant of the evolving tactics employed by adversaries like Cycldek and take proactive steps to secure their networks, especially when dealing with critical data repositories housed in air-gapped environments.
