New TetrisPhantom Hackers Steal Data from Secure USB Drives on Govt Systems

Cyber Security Threat Summary:
A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive” (Bleeping Computer, 2023).

Kaspersky researchers discovered a trojanized version of the UTetris application deployed on secure USB devices in an attack campaign extending several years and targeting government agencies in the APAC region. The group, referred to as TetricPhantom, uses various tools, commands, and malware in their attacks. Their extensive tactics, techniques, and procedures (TTPs) point to a sophisticated, well-resourced group.

“The attack comprises sophisticated tools and techniques, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, self-replication through connected secure USB drives to propagate to other air-gapped systems and injection of code into a legitimate access management program on the USB drive which acts as a loader for the malware on a new machine” (Kaspersky, 2023). Kaspersky says the attack begins after Utetris is executed on the target machine and runs an additional payload called AcroShell. AcroShell creates a communication channel with the attackers command and control (C2) server, and is used to fetch and run additional payloads, steal documents and files, and collect specific details about the USB drives used by the target.

Kaspersky says one of the goals of this campaign is to research for and develop another piece of malware called XMKR. "The XMKR module is deployed on a Windows machine and is responsible for compromising secure USB drives connected to the system to spread the attack to potentially air-gapped systems" (Kaspersky, 2023). XMKR’s capabilities on the device include stealing files for espionage purposes, writing data on the USB drives.

In total, Kaspersky was able to retrieve and analyze two Utetris executable variants, one used between September and October of 2022, and another in use from October 2022 until now. In both cases, information on the compromised USB is exfiltrated to the attacker’s server when the storage device is plugged into an Internet-connected computer infected with AcroShell.

These campaigns have been active for a few years, and appear to be focused on targeted espionage based on the small number of infections on government networks.

Security Officer Comments:
USB based attacks have long been used to breach air-gapped (non-internet connected) environments. Due to their nature of being passed between machines, USBs can be a popular tool to introduce malware onto more sensitive systems. In this case, an Internet connected machine becomes laced with malware that spreads itself onto any USB devices connected to it. The hope being, the USB device will move to more sensitive machines and networks where it can propagate. USBs have also been directly compromised through their manufacturing supply chain, even sealed in their original packaging. Organizations should understand the risks associated with USB devices.

It is common practice for PowerPoint slides to be uploaded onto USB drives, then shared at conferences/speaking engagements on a projector connected computer. This communal access point has been used in the past to compromise the USB devices of speakers. Users should attempt to send their slides via email as an alternative, or discontinue/dispose of the USB after an event. One malware laded USB can infect the communal machine, then spread itself onto the other USB devices, eventually connecting back to the users machine.

Suggested Correction(s):
While many organizations have turned to cloud based services to move files between machines, USBs are still quite popular. There are many risks with allowing employees to utilize their own personal USB devices, and many organizations have policies in place to make their usage safer. In some cases, organizations have completely disallowed USB devices, using software based blocks, and/or physical removal or destruction of USB slots.

In the event that USB devices must be used. Organizations should take various actions to lessen their risk. Anti-virus software that scans USB drives is essential. Having a USB rental system maintained by IT staff may be possible. These devices should be regularly checked for malware, and usage should be logged and audited across connected machines. Even with protections in place, organizations should consider if the benefits of USBs outweigh the risks, especially when other safer options are available.