TetrisPhantom Hackers Target Government USB Drives

A new group of hackers, known as TetrisPhantomis using Compromised USB drives to target government entities.

The action mainly targeted states in South-East Asia and China, but it is not certain that the collective’s actions will also move to the West.

Secure USB drives take advantage of technologies such as encryption to protect the data they contain and, at least until this wave of attacks, were an excellent channel for transferring data securely.

One of the software used to manage encryption, specially manipulated, became a powerful weapon in the hands of TetrisPhantom. We are talking about the file UTetri.exewhose versions were modified and made real trojanthey actually steal files from the devices that are supposed to protect them.

TetrisPhantom: how do hackers behave and what is their goal?

The company discovered what happened Kasperskya well-known producer of antivirus. Specifically, the experts clarified how “The attack includes sophisticated tools and techniques, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, self-replication via connected secure USB drives to propagate to other systems with air gap and code injection into a legitimate access management program on the USB drive that acts as a loader for the malware on a new machine“.

Kaspersky shared further details with BleepingComputerexplaining that the Utetris Trojan app attack begins by executing a payload called AcroShell.

AcroShell establishes a line of communication with the attacker’s command and control (C2) server and can retrieve and execute additional malicious agents, useful for stealing sensitive documents and files from USB drives used by the target.

Kaspersky recovered and analyzed two malicious variants of the Utetris executable, one used between September and October 2022 (version 1.0) and another distributed in government networks from October 2022 until now (version 2.0).

Researchers say these attacks have been ongoing for at least a few years and espionage is the sole objective of such operations, with few operations implemented but targeting specific victims.


Please enter your comment!
Please enter your name here