EMPTYSPACE Downloader
A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices to target organizations in Italy as an initial infection vector. The attacks appear to be targeted at multiple industries, including health, transportation, construction, and logistics. UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader.
During these attack operations, the cluster relies on third-party websites such as GitHub, Vimeo, and others to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain.
Table of Contents
The UNC4990 Threat Actors Have Been Active for Years
UNC4990 has been active since late 2020 and is believed to operate from Italy, which is evident in its frequent use of Italian infrastructure for command-and-control (C2) functions. The specific role of UNC4990 remains uncertain; it is unclear whether the group solely facilitates initial access for other actors. The ultimate objective of this threat actor is also ambiguous. However, there is an instance where researchers noted the deployment of an open-source cryptocurrency miner following months of beaconing activity.
Researchers had previously documented details of the campaign in early December 2023, with some tracking the same adversary under the moniker Nebula Broker.
The Attack Chain Employing the EMPTYSPACE Downloader
The malware infection initiates when a victim double-clicks on a malicious LNK shortcut file on a removable USB device. This action triggers the execution of a PowerShell script responsible for downloading EMPTYSPACE (also known as BrokerLoader or Vetta Loader) from a remote server. The download is facilitated through an intermediate PowerShell script hosted on Vimeo.
Researchers have identified four distinct variants of EMPTYSPACE, coded in Golang, .NET, Node.js, and Python. Once fully deployed, this threat functions as a conduit for retrieving subsequent payloads over HTTP from the C2 server, including a backdoor referred to as QUIETBOARD.
A noteworthy aspect of this phase involves the utilization of popular websites such as Ars Technica, GitHub, GitLab, and Vimeo for hosting the unsafe payload. According to the research findings, the content hosted on these services doesn't pose a direct risk to everyday users, as the isolated content is entirely benign. Individuals who may have unintentionally interacted with or viewed this content in the past are not at risk of compromise.
Additional Threats Delivered by the EMPTYSPACE Downloader
In contrast, QUIETBOARD is a Python-based backdoor equipped with a diverse set of features enabling it to execute arbitrary commands, manipulate crypto wallet addresses copied to the clipboard for redirecting fund transfers to wallets under the threat actors' control, propagate malware to removable drives, capture screenshots, and collect system information.
Moreover, this backdoor exhibits the capability for modular expansion, enabling it to run independent Python modules such as coin miners. It can also dynamically fetch and execute Python code from the C2 server.
The analysis of the EMPTYSPACE and QUIETBOARD underscores the threat actors' modular approach in developing their toolset. The utilization of multiple programming languages to create various versions of the EMPTYSPACE downloader and the alteration of the URL when the Vimeo video was taken down demonstrate a penchant for experimentation and adaptability on the part of the threat actors.
