Attackers use a tool designed to infect USB devices in their attacks.
The Transparent Tribe cybercriminal group (also known as PROJECTM and MYTHIC LEOPARD) has launched malicious campaigns. Against diplomats and military personnel in 27 countries. Most of the victims were located in Afghanistan, Pakistan, India, Iran and Germany. Attackers armed themselves with a new tool designed to infect USB devices and spread malware to other systems.
The attack chain begins with targeted phishing. Fraudulent messages are sent with malicious Microsoft Office documents containing an embedded macro to install the Crimson Remote Access Trojan. The Trojan is capable of many functions, including connecting to a C&C server to steal data. Update malware remotely, take screenshots, and hack microphones and webcams for audio and video surveillance.
Also , According to experts from Kaspersky Lab, the malware is capable of stealing files from removable media. Performing keylogging and stealing credentials from browsers.
The Transparent Tribe also uses malware such as .NET-based Crimson and Python-based Peppy. In recent attacks, criminals have incorporated a new functionality into the Crimson Trojan called USBWorm. It consists of two main components: a tool to steal files from removable drives. And a worm function to infect other vulnerable devices.
If a USB drive is connected to the infected PC. A copy of the Trojan is invisibly installed on the removable drive. The malware enumerates all the directories on the disk and then saves A copy of the Trojan in the root directory of the disk. The directory attribute is then changed to “hidden” and the fake Windows. Icon is used to entice victims to click and execute a payload when trying to access directories.