It’s to the point where most malware is known, at least in throw in and delivery method.
However, bad actors occasionally conceive a new trick to hide their footprints and fool the white hats.
The two sites were tech publication Ars Technica and video hosting site Vimeo.
There was nothing inherently wrong with the image or text.
In another instance, an identical string appeared in the description of an otherwise harmless video on Vimeo.
For most users, the instructions had no effect.
It only operates on devices that already contain the first stage of the malware (explorer.ps1).
UNC4990 distributed stage one through infected flash drives configured to link to the file hosted on GitHub and GitLab.
Mandiantadmitsit has never seen this technique used before.
“This is something in malware we have not typically seen.
It’s pretty interesting for us and something we wanted to call out.”
UNC4990 uses the backdoor to install cryptocurrency miners on the infected machines.
However, Mandiant says it has only tracked a single instance of a Quietboard installation.
Given the rarity of Quietboard, UNC4990’s attack poses a minimal threat.
However, explorer.ps1 and Emptyspace instances could be much higher, leaving users vulnerable.
Mandiant explains how to detect the infection in itsblog.
