Chinese Virus WispRider Spreads Globally Through USB Flash Drives

Visit Us
Follow Me

The world’s computers are experiencing a swift onslaught of the WispRider virus, experts from Check Point Research report. The contagion is spreading through USB flash drives, with the Camaro Dragon hacking group, also known as Mustang Panda, Luminous Moth, and Bronze President, suspected to be behind the epidemic. This group is believed to be linked to China.

The first known infection with this new virus likely occurred at an international conference held in Asia. An attendee, dubbed the “patient zero,” passed his USB drive to another participant to share a presentation file. The recipient’s computer was infected, and the drive was returned to the original owner already compromised. After returning to his European homeland, the owner plugged the drive into a workplace computer in a medical institution, leading to a network-wide infection in the hospital.

The core function of the virus has been named WispRider. This backdoor, providing hackers access to the victim’s computer, was initially detected by Avast specialists at the end of last year. Since then, the virus has evolved, acquiring new capabilities. It propagates through USB drives using the autorun program HopperTick, remaining invisible to the popular South Asian antivirus, SmadAV. The malware loads a DLL file through software components of the G-DATA Total Security antivirus and products of game developers Electronic Arts and Riot Games, who have been notified by Check Point Research. The Go language-based backdoor TinyNote and the malicious firmware component HorseShell for routers are also loaded.

When a USB flash drive is connected to an infected computer, the virus detects the new device and creates several hidden folders in the root of the drive. It then copies a Delphi boot loader onto the drive, naming it after the drive and giving it the standard icon. Technically, nothing extraordinary occurs; this is a standard scenario, and the virus mainly spreads due to human error. Victims see an executable file in place of their files on the disk, which they unwittingly launch, infecting their machine in the process. WispRider functions as both an infecting module and a backdoor for accessing user files, loading a DLL file that executes both functions. The malicious activity is launched from the infected machine, and if this hasn’t happened yet, the actual infection is carried out. The virus also propagates through accessible network resources.

To protect from the WispRider virus, experts suggest the following safety measures:

  1. Educate Employees: Conduct awareness campaigns amongst employees about the potential threat posed by USB drives from unknown or unreliable sources. Encourage cautious behaviour and prohibit the connection of unfamiliar drives to company devices.
  2. Regulate USB Usage: Enforce strict rules for connecting USB drives to devices in the corporate network. This may include banning their use altogether unless they are obtained from reliable sources.
  3. Find Safe Alternatives: Seek secure alternatives to USB drives such as cloud storage and encrypted file-sharing platforms. This will reduce dependence on external devices and partially neutralize associated risks.
  4. Update Antivirus Software Regularly: Ensure timely updates of antivirus and other software to secure all devices. Regularly scan USB drives for malicious software.

By following these guidelines, individuals and organizations can mitigate the risk of falling victim to the WispRider virus.

Author Profile

Vasyl Kolomiiets
Vasyl Kolomiiets
I'm Vasyl Kolomiiets, a seasoned tech journalist regularly contributing to global publications. Having a profound background in information technologies, I seamlessly blended my technical expertise with my passion for writing, venturing into technology journalism. I've covered a wide range of topics including cutting-edge developments and their impacts on society, contributing to leading tech platforms.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *