{
	"id": "cef3769c-6177-439a-916b-72fe984eeedf",
	"created_at": "2026-04-18T02:22:17.945526Z",
	"updated_at": "2026-04-18T02:22:37.408419Z",
	"deleted_at": null,
	"sha1_hash": "7eb952f516e8ae42c164190e12c8083d815dc328",
	"title": "Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 140379,
	"plain_text": "Beyond the Horizon: Traveling the World on Camaro Dragon’s USB\r\nFlash Drives\r\nBy etal\r\nPublished: 2023-06-22 · Archived: 2026-04-18 02:00:15 UTC\r\nExecutive summary\r\nIn early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European\r\nhealthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed\r\nto Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by\r\ndifferent researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries\r\nand their close peers.\r\nThe malware gained access to the healthcare institution systems through an infected USB drive. During the\r\ninvestigation, the Check Point Research (CPR) team discovered newer versions of the malware with similar\r\ncapabilities to self-propagate through USB drives. In this way, malware infections originating in Southeast Asia\r\nspread uncontrollably to different networks around the globe, even if those networks are not the threat actors’ primary\r\ntargets.\r\nThe main payload variant, called WispRider, has undergone significant revisions. In addition to backdoor\r\ncapabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes\r\nadditional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia. The malware also\r\nperforms DLL-side-loading using components of security software, such as G-DATA Total Security, and of two\r\nmajor gaming companies (Electronic Arts and Riot Games). Check Point Research responsibly notified these\r\ncompanies on the above-mentioned use of their software by the attackers.\r\nThe findings in this report, along with corroborating evidence from other industry reports, confirm that Chinese\r\nthreat actors, including Camaro Dragon, continue to effectively leverage USB devices as an infection vector.\r\nThe prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting\r\nagainst those, even for organizations that may not be the direct targets of such campaigns. We found evidence of USB\r\nmalware infections at least in the following countries: Myanmar, South Korea, Great Britain, India and Russia.\r\nIntroduction\r\nIn early 2023, CPIRT investigated an incident at a European hospital. The investigation showed that the malicious activity\r\nobserved was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware\r\ninfections spreading via USB drives.\r\nCamaro Dragon is a Chinese-based espionage threat actor whose operations are actively focused on Southeast Asian\r\ncountries and foreign entities related to them. The threat actor shares similarities in TTPs and resources with previously\r\nreported activities conducted by Chinese threat actors, namely Mustang Panda and LuminousMoth.\r\nAs a part of the investigation and tracking the threat actor, we encountered multiple newer versions of the toolset observed\r\nin the European hospital, with similar USB-propagating capabilities that allow the malware to spread uncontrollably. These\r\ntools, which we track as WispRider and HopperTick, align with other tools by the same threat actor recently discovered by\r\nCPR, such as a Go-based backdoor called TinyNote, and a malicious router firmware implant named HorseShell. All of\r\nthem share infrastructure and operational goals.\r\nIn this report, we provide a full technical analysis of the infection chains and their various components. We cover\r\nHopperTick, a malicious launcher that is propagated via USB drives, and WispRider, which serves as its main payload and\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 1 of 13\n\nfacilitates the propagation. We explain the mechanism by which infections spread from the initially targeted networks to\r\nmany others through infected USB drives, ultimately reaching environments far beyond the scope of the threat actor’s\r\nprimary interests.\r\nEuropean Healthcare Institution Infection – How Did It Start?\r\nPatient Zero in the malware infection was identified as an employee who had participated in a conference in Asia. He shared\r\nhis presentation with fellow attendees using his USB drive. Unfortunately, one of his colleagues had an infected computer,\r\nso his own USB drive unknowingly became infected as a result. Upon returning to his home hospital in Europe, the\r\nemployee introduced the infected USB drive to the hospital’s computer systems, which led the infection to spread.\r\nThis incident provided an in-the-wild sighting of a set of tools described back in late 2022 in the Avast report (the toolset is\r\nlabelled there as  SSE ), which analyzed several malicious tools staged on one of the distribution servers attributed to\r\nMustang Panda. The infection chain starts when a victim launches a malicious Delphi launcher on the infected USB flash\r\ndrive. The launcher reveals all of the victim’s previously hidden files and is responsible for unleashing the main backdoor\r\nand infecting each new drive it interacts with.\r\nFigure 1 - Scheme of all the components in Camaro Dragon USB infections from early 2023.\r\nFigure 1 – Scheme of all the components in Camaro Dragon USB infections from early 2023.\r\nThe Infector (Symantec.exe + LDVPOCX.OCX)\r\nBackdoor Setup\r\nOn any infected USB flash drive, all the user’s files are hidden in a separate folder, and the victim only sees the malicious\r\nlauncher that bears the USB drive name and a USB drive icon. When the victim clicks on it, the launcher, written in Delphi,\r\nreveals all the user’s files that were hidden, and starts the PE pre-existing at a specific USB path  Kaspersky\\Usb\r\nDrive\\3.0\\Symantec.cmd . This is a legitimate Symantec component that side-loads the malicious  LDVPOCX.OCX  which is\r\nlocated in the same folder. After creating a mutex and handling persistence via the registry Run key, the infector copies its\r\nworking files from another hidden folder on the USB drive to the infected machine. It places .dat files, which are encrypted\r\npayloads, in a\r\nfolder  C:\\ProgramData\\SymantecSEndponit\\Data :  EdrEpmpCStorages.dat ,  PchEpmpCStorages.dat ,  prodcltdef.dat ,  csdkset.d\r\nTwo files are then decrypted and moved into  C:\\ProgramData\\Vivaldi\\Application  (vivaldi.exe, vivaldi_elf.dll), and two\r\nmore files are decrypted and moved into  C:\\Users\\odin\\AppData\\Local\\Cyber  (CUZ.exe, ZIPDLL.dll)). Then both of\r\nthese executables are started ( vivaldi  for the evasions module and  CUZ  for the main backdoor), causing them to side-load the malicious DLLs placed next to them.\r\nUSB infection setup\r\nAfter all the files were copied, and the evasion module and the backdoor started, the infector creates two threads that are\r\nused for portable drives infection.\r\nOne thread creates a fake window that listens through a window procedure function for DBT_DEVICEARRIVAL and\r\nDBT_DEVICEREMOVECOMPLETE events. Listening to those events enables it to detect when a new USB device is inserted and to\r\nthen infect it. Before starting the next thread, the infector enumerates all available drives by using\r\nthe  GetLogicalDriveStringsW  API. It checks each drive to determine it is a hot-pluggable device by sending it\r\nan  IOCTL_STORAGE_GET_HOTPLUG_INFO  request, using the IO control code  0x2D0C14u . Then, if the device is hot-pluggable,\r\nit internally marks this drive letter, thereby indicating for the soon-to-be-created created thread that this drive should be\r\ninfected.\r\nThe second thread then reviews all of the drive letters. Any marked drives will be infected (described in the next section).\r\nFrom this moment, any USB drive that is connected to the system will be infected. It is interesting to note that existing\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 2 of 13\n\nnetwork drives are not infected, but network drives that are added post-infection will be infected as well. This behavior is\r\ndue to the lack of “hot-pluggable” checks in the window procedure created by the first thread; it infects any new device that\r\nis added and triggers one of the listened to event codes. Although network drives infected this way theoretically might be\r\nused as a means of lateral movement inside the same network, this behavior appears to be more of a flaw than an intentional\r\nfeature. Manipulating numerous files and replacing them with an executable with a USB thumb drive icon on network drives\r\nis a conspicuous activity that can draw additional, unfavorable attention.\r\nUSB Infection\r\nWhen a benign USB thumb drive is inserted into an infected computer, the malware detects a new device inserted into the\r\nPC and manipulates its files, creating several hidden folders at the root of the thumb drive:\r\nKaspersky\\Usb Drive  – All files that existed on the thumb drive prior to the infection are moved to this folder.\r\nKaspersky\\Usb Drive\\3.0  – All .dat files\r\nfrom  C:\\ProgramData\\SymantecSEndponit\\Data\\ ,  LDVPOCX.OCX  (Infector DLL) and  Symantec.cmd  (legitimate\r\nSymantec executable which side-loads  LDVPOCX.OCX ) are moved here.\r\nFinally, the malware copies into the thumb drive a Delphi loader with the name of the original thumb drive name, with a\r\nUSB thumb drive icon:\r\nFigure 2 – An infected USB drive folder structure for the drive named “FAKE_USB”. For the drive called\r\n“SecretDocuments” the Launcher would be called “SecretDocuments.exe”.\r\nThere is no special technique used in this USB infection flow to automatically run the Delphi launcher. The scheme fully\r\nrelies on social engineering; the victims can no longer see their files on the drive and are left only with the executable, which\r\nthey will likely click to reveal their files – thereby setting off an infection flow of the machine.\r\nThe Backdoor (CUZ.exe/msexpert.exe + ZIPDLL.dll)\r\nZIPDLL.dll is the main backdoor side-loaded by CUZ.exe, a component of CAM UnZip software. The backdoor has 3\r\nstages, each receiving a different set of arguments.\r\nSetup. The malware gets as an argument the path where it should be copied together with ZIPDLL.dll. This is the\r\nexact command that the infector uses to execute it:  C:\\Users\\user\\AppData\\Local\\Cyber\\CUZ.exe\r\n\"C:/Users/user/AppData/Local/MicrosoftExplorer/msexpert.exe\" . In addition to setting up the “worker” copy, it\r\nalso decrypts the shellcode embedded inside, generates a random key, encrypts the shellcode, and writes it to the\r\nfile  c:\\users\\public\\winmine.bin . If the malware runs without an argument, it opens a once popular Minesweeper\r\ngame ( winmine.exe ).\r\nAnti-analysis. The malware uses an interesting technique, recursively producing a process tree before continuing the\r\nexecution. It starts the worker (msexpert.exe) with two arguments: a number (100) and the string of ASCII characters,\r\nwhich is the key that decrypts the shellcode stored in the  winmine.bin  file. After startup, the worker executes itself\r\nagain recursively, with the first argument decreasing by 1 on each iteration. The behavior continues until the number\r\ngoes down to zero, and then the worker is finally executed only with the encryption key.\r\nFigure 3 - Worker process execution tree.\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 3 of 13\n\nFigure 3 – Worker process execution tree.\r\nExecution. When the  msexpert.exe  process is executed with a key as an argument, it decrypts the shellcode\r\nfrom  winmine.bin  and patches the executable in the memory to execute the shellcode. Next, the  ZIPDLL.dll  and\r\nthe  winmine.bin  files are removed from the disk.\r\nThe backdoor has limited capabilities which it can execute according to the following commands from the C\u0026C server:\r\nDelete the specified file.\r\nCreate a file and write to it.\r\nCreate the process.\r\nEvasions module (vivaldi.exe + vivaldi_elf.dll)\r\nThe evasion module is  vivaldi_elf.dll , which is side-loaded by a legitimate component of the Vivaldi browser. It is\r\nmainly responsible for changing the registry keys\r\nunder  SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\  such\r\nas  Hidden  , HideFileExt  and  ShowSuperHidden.  All of those are related to hidden file attributes in the system.\r\nThe Vivaldi executable shows the same behavior as msexpert.exe, running with an argument (100) to launch itself\r\nrecursively with decreasing arguments until it reaches 0.\r\nUpgraded toolset\r\nWhen searching for similar files in the wild, we found numerous newer versions circulating worldwide, most of which also\r\nfirst originated from Southeast Asia. While preserving the same capability to self-propagate via USB drives, these samples\r\nhave a few significant technical differences from the case we observed at the European hospital:\r\nInstead of a “modular” structure, where each component is represented by a separate set of legitimate executables\r\nand side-loaded DLLs, all the functionality (USB infector, evasions module, and the backdoor itself) is combined\r\ninside the same payload.\r\nFor DLL-side-loading of the payloads, the actors use some legitimate executables not discussed previously, such as\r\ncomponents of GDATA Total Security Solution, Electronic Arts Games Access Server, or the RiotClient UX\r\ncomponent. The malware versions also require a proper argument to be provided to the legitimate executable for the\r\nside-loaded DLL to reveal its malicious capabilities.\r\nThe code of the malware components has undergone significant refactoring, heavily utilizing the capabilities of the\r\nC++ language. This applies to all the components, including the USB launcher, which was previously written in\r\nDelphi.\r\nOne of the USB launchers for the updated payload versions was submitted multiple times to VT in the last half year, with a\r\nclear geolocation cluster moving from Myanmar to Russia in the later stages of this malware’s proliferation.\r\nFigure 4 – VT submitter for the HopperTick USB launcher.\r\nFigure 4 – VT submitter for the HopperTick USB launcher.\r\nThis specific USB launcher was also digitally signed with a known malicious signature by  北京弘道长兴国际贸易有限公\r\n司  (Beijing Hongdao Changxing International Trade Co., Ltd.), the certificate was explicitly revoked some time ago.\r\nSimilar to the previous versions, the infection chain starts when a victim plugs in a compromised USB device and executes a\r\nmalicious launcher from its root directory. We further track the updated USB launcher as HopperTick and the unified\r\nbackdoor-infector component as WispRider.\r\nFigure 5 – Scheme of the components in Camaro Dragon USB infections observed in late 2022 to 2023.\r\nFigure 5 – Scheme of the components in Camaro Dragon USB infections observed in late 2022 to 2023.\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 4 of 13\n\nHopperTick (USB launcher) analysis\r\nHopperTick is an MFC application whose purpose is to pass an infection from an infected USB thumb drive. The launcher is\r\nsaved on the USB thumb drive, with the thumb drive current name and a USB thumb drive icon. Those steps are part of a\r\nsocial engineering scheme to get an unsuspecting user to click and execute the launcher. Upon execution, HopperTick\r\ndetermines the drive letter of the USB thumb drive from which it’s running by calling the  GetModuleFileNameW  function\r\nand then manipulating the received module file name. Next, it generates an ID for the thumb drive based on the volume\r\nserial number received from the  GetVolumeInformationW  API. Then, combining all of the gathered information, it creates\r\nthe following string:  [DRIVE_LETTER]:\\\\Kaspersky\\\\Usb Drive\\\\3.0\\\\[DRIVE_ID]  and checks if the file exists. If it\r\ndoesn’t, the launcher also tries to look in the file path  [DRIVE_LETTER]:\\\\System Volume Information\\\\[DRIVE_ID] .\r\nThe file  [DRIVE_ID]  contains a shellcode that is loaded, decrypted, reallocated, and executed in memory\r\nusing  VirtualProtect . The application itself doesn’t continue its own execution but jumps directly to the shellcode and\r\ncontinues executing from it.\r\nThe execution flow consists of several steps:\r\n1. Closes the File Explorer window where the victim originally started the launcher. The shellcode does this by calling\r\nthe function  GetForegroundWindow  and then  PostMessageW  with the  WM_CLOSE  message.\r\n2. Bypasses SmadAV. SmadAV is a “second-layer antivirus” that is popular in Southeast Asian countries. The bypass is\r\ndone exactly the same way as in Camaro Dragon’s TinyNote backdoor which we reported on recently.\r\n3. Checks if the USB device is media-removable and hot-pluggable, by sending an IOCTL request to the thumb drive\r\nwith the IoControlCode  IOCTL_STORAGE_GET_HOTPLUG_INFO  and checking for relevant features in the\r\nreceived  STORAGE_HOTPLUG_INFO  struct.\r\n4. Creates a new Explorer process and opens a folder on the USB thumb drive containing the user’s original files (in\r\nmost cases we observed). The path is similar across all versions:  [DRIVE_LETTER]:\\\\Kaspersky\\\\Usb Drive\\\\ .\r\n5. Infects the machine: Creates a working folder inside  C:\\\\ProgramData\\\\ , decrypts the .data files located\r\nin  [DRIVE_LETTER]:\\\\Kaspersky\\\\Usb Drive\\\\3.0\\\\  folder and saves them to the disk. These files include a\r\nlegitimate executable, a fake DLL that is side-loaded by the executable, and a binary file containing both the\r\nconfiguration and encrypted payloads. Below is the list of the legitimate executables used for side-loading in this\r\ncampaign:\r\nDLL name\r\nLegitimate\r\nExecutable\r\nComponent and its developer\r\nlibcef.dll RiotClientUx.exe Riot Client, Riot Games, Inc.\r\nEACore.dll EACoreServer.exe EA Core Server Application, Electronic Arts, Inc.\r\nAVKkid.dll AVKKid.exe\r\nKidSafe (part of GDATA Total Security), G DATA Software\r\nAG\r\nWhen side-loaded by the legitimate executable, the DLL first checks if the executable was executed with a\r\nspecific hardcoded number as an argument. If the argument check fails, the process exits as a means of an anti-sandbox technique which does not allow the malware to reveal its capabilities when running dynamically without\r\na proper infection chain.\r\n6. Sets up persistence by adding the Run registry key and scheduled task with the path to the legitimate executable and\r\nthe proper argument (e.g.  \"C:\\ProgramData\\EACoreService\\EACoreServer.exe\" 114 ).\r\nWispRider (infector and backdoor) analysis\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 5 of 13\n\nMalware Configuration\r\nWispRider is a side-loaded DLL which contains both the USB infector component and the backdoor itself. It first creates a\r\nmutex to ensure there is a single instance running and checks that the executable that side-loaded it was executed with the\r\nproper argument. Next, it searches for a configuration file by first identifying a currently running directory from which the\r\nexecutable runs, and then recursively scanning from that directory to check each file as a potential config file candidate. A\r\nvalid config file can be represented in the following struct:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct encrypted_config_file\r\n{\r\nDWORD crc32_checksum;\r\nWORD key_1_size;\r\nWORD key_2_size;\r\nBYTE key_1[key_1_size];\r\nBYTE key_2[key_2_size];\r\nconfig_data cfg_data;\r\n};\r\nstruct encrypted_config_file { DWORD crc32_checksum; WORD key_1_size; WORD key_2_size; BYTE\r\nkey_1[key_1_size]; BYTE key_2[key_2_size]; config_data cfg_data; };\r\nstruct encrypted_config_file\r\n{\r\n DWORD crc32_checksum;\r\n WORD key_1_size;\r\n WORD key_2_size;\r\n BYTE key_1[key_1_size];\r\n BYTE key_2[key_2_size];\r\n config_data cfg_data;\r\n};\r\nFor each file encountered during the config search process, the malware first checks the CRC32 checksum by comparing the\r\nfirst 4 bytes with the CRC32 checksum of the rest of the file. If this check goes through, a path to a valid config file is saved,\r\nand WispRider proceeds to decrypt the config file using simple XOR encryption loops, starting with the first key ( key_1 )\r\nand then again using XOR with the second key ( key_2 ).\r\nFigure 6 - Configuration file decryption.\r\nFigure 6 – Configuration file decryption.\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 6 of 13\n\nThe config file contains relevant paths where the files should be stored both on an infected PC or an infected USB drive, and\r\nthe actual encrypted content of these files. The data stored in the config file can be represented in the following struct:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct config_data\r\n{\r\nDWORD version;\r\nwchar_t path_usb_folder[260];\r\nwchar_t path_config_on_pc[260];\r\nwchar_t path_config_on_usb[260];\r\nconfig_data_entry entries[];\r\n};\r\nstruct config_data_entry\r\n{\r\nbyte mode; // 0 = USB, 1 = PC, 2 = additional payload\r\nbyte type; // 0 = DLL, 1 = EXE, 2 = shellcode\r\nwchar_t path[260];\r\nDWORD size_of_encrypted_data;\r\nDWORD unknown;\r\nBYTE encrypted_data[];\r\n};\r\nstruct config_data { DWORD version; wchar_t path_usb_folder[260]; wchar_t path_config_on_pc[260]; wchar_t\r\npath_config_on_usb[260]; config_data_entry entries[]; }; struct config_data_entry { byte mode; // 0 = USB, 1 = PC, 2 =\r\nadditional payload byte type; // 0 = DLL, 1 = EXE, 2 = shellcode wchar_t path[260]; DWORD size_of_encrypted_data;\r\nDWORD unknown; BYTE encrypted_data[]; };\r\nstruct config_data\r\n{\r\n DWORD version;\r\n wchar_t path_usb_folder[260];\r\n wchar_t path_config_on_pc[260];\r\n wchar_t path_config_on_usb[260];\r\n config_data_entry entries[];\r\n};\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 7 of 13\n\nstruct config_data_entry\r\n{\r\n byte mode; // 0 = USB, 1 = PC, 2 = additional payload\r\n byte type; // 0 = DLL, 1 = EXE, 2 = shellcode\r\n wchar_t path[260];\r\n DWORD size_of_encrypted_data;\r\n DWORD unknown;\r\n BYTE encrypted_data[];\r\n};\r\nWispRider Execution flow\r\nAfter the config is fully loaded and parsed, WispRider checks from which process it runs, and then compares it to each file\r\npath from  config_data_entry  with the  type  field equal to  1  (EXE). This allows the sample to understand if it’s\r\nrunning from an already infected machine or if the machine needs to be infected. This determines its next behavior. If the\r\nmalware discovers that it is running from an already infected computer, it goes over the list of config entries and looks for\r\nfiles with the mode field set to 2, indicating additional payloads, copies them to the PC, and executes them. In our case, one\r\nof the files had a reference to HPCustParticUI.exe, a legitimate executable that side-loads  HPCustPartUI.dll , a “Disk\r\nMonitor” tool which is a version of a stealer discussed by Avast in the overview of the threat actor’s tools.\r\nInfection process\r\nIf the sample is not run from an infected machine, it continues to infect the present machine. This is likely an alternative\r\ninfection vector that delivers the malware to the targeted network when the actors cannot rely on the USB propagation, as\r\nthey can’t physically access the machine to plug in an infected drive. Based on the known TTPs of the threat actor, we might\r\nsuggest that these infections are initiated via spear-phishing campaigns that deliver an archive with all the infection-related\r\nfiles and assure the legitimate executable runs with a relevant argument.\r\nTo infect the machine, the malware goes over the list of files from the configuration that are intended for the PC ( mode=1 ).\r\nFor each one, it creates the needed directories and then copies the files over. For example, in the case  EACoreServer.exe  is\r\nused, it first creates the directory tree  C:\\ProgramData\\EACoreService\\  and then copies two files into\r\nit:  EACoreServer.exe  and  EACore.dll .\r\nAfter copying all the files, the malware creates in its working folder a newly re-encrypted config file. Its structure and the\r\ndata are the same, but both encryption keys (and their sizes) are different. For new encryption keys, the sample uses two\r\narrays filled with random values and randomizes 2 parameters for each of the keys: the key size, and what index in the\r\nrelevant array the key starts from. Next, it takes the relevant bytes from pre-generated arrays, encrypts with them the config\r\ndata, performs CRC32 checksum on the config data to write it at the beginning of the config file, and saves everything to the\r\nworking directory with .dat name matching the side-loaded DLL (such as  EACore.dat ).\r\nFigure 7 - Encryption of the config file.\r\nFigure 7 – Encryption of the config file.\r\nAfter setting up all the files, WispRider establishes persistence for the file that has the field  type  set to  1 , e.g. for the\r\nlegitimate executable. It does something similar to the HopperTick, by adding both a registry Run key and a scheduled task\r\npointing to the executable with the relevant argument.\r\nFinally, regardless of whether WispRider had to infect the machine or was running initially from the infected machine, it\r\ncreates two threads: one is responsible for communication with the C\u0026C server, and another one infects any existing or\r\nnewly connected USB devices.\r\nUSB Infection\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 8 of 13\n\nUpon execution, the USB infection thread loads the configuration file again and saves it internally to a shared struct. Then\r\nthe thread creates a fake window, with a random 16-character class name and window names. It then registers a WndProc\r\nfunction, which listens for any  WM_DEVICECHANGE  message types which are sent on various event types, but most\r\nimportantly, when the USB device is connected to the system.\r\nFigure 8 - Creation of a window that starts an event listener for newly plugged-in devices.\r\nFigure 8 – Creation of a window that starts an event listener for newly plugged-in devices.\r\nThe infection process of each USB device consists of a few stages:\r\nCreate a struct per USB device: The malware determines the drive letter, and then creates the following struct for it:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct usb_infect_helper\r\n{\r\nDWORD unknown;\r\nHANDLE event;\r\nwchar_t drive_path[4];\r\n};\r\nstruct usb_infect_helper { DWORD unknown; HANDLE event; wchar_t drive_path[4]; };\r\nstruct usb_infect_helper\r\n{\r\n DWORD unknown;\r\n HANDLE event;\r\n wchar_t drive_path[4];\r\n};\r\nCleanup: The malware first goes over the newly attached USB drives and deletes any file of the following types on\r\nit:  .exe, .lnk, .scr, .com, .vbs, .hta .\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 9 of 13\n\nFigure 9 – The malware removes all possible launchers from the USB drive.\r\nCreate a whitelist: The malware creates a whitelist of all files that are related to the USB infection (with  mode=0 ) from the\r\npreviously loaded config. This whitelist is used whenever any file operations occur on the USB and makes sure the infection\r\nfiles stay intact regardless of what manipulations are performed on the USB.\r\nMonitor a device: Each infected USB has its dedicated thread which runs in a loop as long as the device is attached. This\r\nloop performs the following actions:\r\nAt the start of the loop, there are several writes to the following registry keys to help with hiding the victim’s files on\r\nboth the USB and on the infected machine. In previous versions, this functionality was a part of\r\nthe  vivaldi  module:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden\r\nA few checks to validate if the USB device needs to be infected. If any of the conditions below are met, the USB\r\ndevice is infected:\r\nNo config on the USB device.\r\nFailure to decrypt the config file already existing on the USB device.\r\nPartial or corrupted config file.\r\nPartial infection occurred or infection-related files are missing.\r\nThe malware also knows to update itself to the newer version. If the version of the config already existing on\r\nthe USB is lower than the config from the sample, the malware performs the infection update.\r\nIf the USB is determined to be infected, all files that existed on the USB device, except the previously created\r\nwhitelist, are moved to the folder  Kaspersky\\Usb Drive . Next, the files from the config with  mode=0  are moved to\r\nthe folder  Kaspersky\\Usb Drive\\\\3.0 with their corresponding name in the config. The config itself is re-encrypted\r\nas described previously and placed in the same folder. Finally, the malicious launcher is placed at the root of the\r\nUSB, with the name of the character of the USB device, and a USB drive icon so it can impersonate a USB device.\r\nThis is a social engineering trick to get unsuspecting or negligent users to execute the malware.\r\nIf the USB infection flow worked as expected, the following struct is created:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct usb_handle\r\n{\r\nHANDLE h_event;\r\nHANDLE h_thread;\r\nHANDLE h_file;\r\nwchar_t drive_path[260];\r\n};\r\nstruct usb_handle { HANDLE h_event; HANDLE h_thread; HANDLE h_file; wchar_t drive_path[260]; };\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 10 of 13\n\nstruct usb_handle\r\n{\r\n HANDLE h_event;\r\n HANDLE h_thread;\r\n HANDLE h_file;\r\n wchar_t drive_path[260];\r\n};\r\nThis struct is updated in a global array of such structs, where the index in the array is the USB drive character.\r\nThis struct holds a newly created event, a new thread created per the attached device, a file handle to the USB\r\ndevice itself, and the USB drive path.\r\nThe newly created thread monitors any file changes on the USB thumb itself: when a new file is created, it is moved\r\nimmediately to the folder with all of the other user files.\r\nThe calling thread also keeps monitoring the USB. In case there are any changes to the infection-related files, it\r\noverwrites them to make sure the USB can carry the infections further.\r\nC\u0026C Communication and backdoor capabilities\r\nUpon execution, the thread first resolves more API calls and generates a bot id based on available data about the infected\r\nmachine from various functions such as  NetBios  and  GetVolumeInformationA . Next, it proceeds to set up the C\u0026C-related parameters based on a hexadecimal representation of an IPv4 and port:\r\nFigure 10 - C\u0026C array setup.\r\nFigure 10 – C\u0026C array setup.\r\nAt first, it seems odd to see that this version uses the local computer IP address. Upon further investigation, it turns out that\r\nanother function is using the domain  www.beautyporntube[.]com  to resolve the second C\u0026C server address and overwrites\r\nthe entries containing local IP 127.0.0.1 with an IP it resolves from the previously mentioned domain.\r\nFigure 11 - Resolving IP from another domain.\r\nFigure 11 – Resolving IP from another domain.\r\nCommunication with the C\u0026C server occurs through raw sockets, and the traffic itself is encrypted using XOR encryption,\r\nwhere the key is randomly generated and present at the beginning of the request. The generated key is also used to decrypt\r\nthe incoming response from the C\u0026C server. First, the malware sends a request containing the infected computer name,\r\nwith  message_id  equal to  5 . If there is any response from the C\u0026C server after sending this message, the malware sends\r\nanother request, this time as the  message_id=4  with random data. This request signals to the C\u0026C server that the malware\r\nis waiting to receive a command.\r\nThese are supported commands:\r\nCommand\r\nId\r\nDescription\r\n1\r\nExecute a command by creating a named pipe to cmd.exe, then read the input from the\r\npipe and send it back to the C\u0026C server\r\n3 Read from the previously created named pipe and send the information back.\r\n4 Open a file for reading or writing.\r\n5 / 6 Write to file.\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 11 of 13\n\nCommand\r\nId\r\nDescription\r\n7 Close the file handle to the previously opened file.\r\nJudging by the available C\u0026C commands, the backdoor capabilities are limited in this version. Similar to the previous\r\nversion, the backdoor is used to gain a foothold in the infected environment and run additional payloads from the C\u0026C\r\nserver.\r\nPost-exploitation tools: Disk Monitor\r\nAs we mentioned earlier, one of the payloads delivered together with WispRide is HPCustPartUI.dll, a DLL which is side-loaded by HPCustParticUI.exe. Its purpose is to scan all the drives of the infected system for files with predefined\r\nextensions and stage them for exfiltration.\r\nThe DLL requires a configuration file called  HPCustPartUI.log  located in the same folder. The config is encrypted using\r\nXOR with the key  DKJfeoirj39  and contains the path to stage the files and a list of the extensions to be monitored (in our\r\ncase these values are hardcoded:  .docx, mp3, wav, m4a, wma, aac, cda, mid ).\r\nWhen a new file with a monitored extension is created, it is copied to the location specified in the config with the name\r\nformat  \u003ctimestamp\u003e_\u003coriginal_file_name\u003e.\u003cextension\u003e , which preserves the folder structure of each copied file. In\r\nparallel, the Disk Monitor tool also notifies its C\u0026C server on each of these files, sending the message in the following\r\nformat: \r\n\u003cmachine name\u003e \u003cmachine id\u003e \u003cpath to the file of interest\u003e\r\nThe data in the request is XORed with the key “ DMkeir ” and sent to the C\u0026C server via HTTPS with User-Agent  “Mozilla/5.0 ”.\r\nAs for the exfiltration component, although we didn’t observe it this time, the actors were previously seen using for\r\nexfiltration their own FTP servers along with the usage of third-party services such as Google Drive.\r\nConclusion\r\nThe Camaro Dragon APT group continues to employ USB devices as a method for infecting targeted systems, effectively\r\ncombining this technique with other established tactics. These include DLL side-loading by exploiting security solution\r\ncomponents, bypassing the SmadAV antivirus solution which is popular in Southeast Asian countries, and disguising\r\nmalware folders as legitimate security vendor files. The consequences of a successful infection are twofold: the malware not\r\nonly establishes a backdoor on the compromised machine but also spreads itself to newly connected removable drives.\r\nThe ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential\r\nimpact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to\r\na vast array of entities, even those that are not primarily targeted.\r\nCheck Point Customers Remain Protected against the threats described in this research\r\nCheck Point Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems, and has\r\ndeveloped and deployed a signature to detect and protect our customers against the threat described in this research.\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level Preventing the most imminent\r\nthreats to the endpoint. Every file received via email or downloaded by a user through a web browser is sent to the Threat\r\nEmulation sandbox to inspect for malware.\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 12 of 13\n\nFiles are also sanitized using a Threat Extraction process (Content Disarm \u0026 Reconstruction technology) to deliver sanitized\r\ncontent in milliseconds.\r\nTE/Harmony Endpoint protections:\r\nAPT.Wins.MustangPanda.*\r\nAPT.Wins.MustangPanda.ta.*\r\nIOCs\r\nName sha256\r\nEACore.dll aeacc2d47a88eb68d503f9e30b189641572eb35423df931845f90a4c447ed1be\r\nlibcef.dll fc598a686a5a77436684cbd0f72f39033cb70a41d4dbcf5dbab47a7c2522fdda\r\navkkid.dll 68eb5590d8ad952215cf54741b0ed6204c19bba4dcb8d704883e007f16de5028\r\nRiotClient.dat 6c4226aa2f8bb646f753ffd282cf4624f6bc8e5ca8a2cb2373f640a2a29cdd95\r\nLDVPOCX.OCX 7d8b568746a643aa0470b14f271f681dd3b09dbc08c893b191d1d6607b86c501\r\nvivaldi_elf.dll 3738e414f43d3b213cf7475a8bb616a3379c09e90c0ba5c6ac0e398d2967ca95\r\nEACore.dat 7752fc0c747149d45deeec1023fef8ca73f83a154643531ae9db9cb89b6ce1dc\r\nEACore.dll 464888b81e4d67aad73b245efa6442fecf8221abe3ec74d4cd180e4beedaddc6\r\nZIPDLL.dll 0279a0a3effc688097eb14d4bd6f1ab8be86f880d01952af7e2b55c51cf107b1\r\nHopperTick 5c878a05fb54c6d06ca4f66d28906d17a423b1305b6aa9bde19df8e8b3e91c5c\r\nDelphi USB Launcher 491d9f6f4e754a430a29ac6842ee12c43615e33b0e720c61e3f06636559813f7\r\nStealer ce1615ec67296edd05d9dc9a6a075a4724553fca5398c425372b85170aec2106\r\nSource: https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"
	],
	"report_names": [
		"beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives"
	],
	"threat_actors": [],
	"ts_created_at": 1776478937,
	"ts_updated_at": 1776478957,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7eb952f516e8ae42c164190e12c8083d815dc328.pdf",
		"text": "https://archive.orkl.eu/7eb952f516e8ae42c164190e12c8083d815dc328.txt",
		"img": "https://archive.orkl.eu/7eb952f516e8ae42c164190e12c8083d815dc328.jpg"
	}
}