Description
There has been a resurgence of an old technique, as researchers have observed a significant threefold increase in malware distributed through USB drives during the first half of 2023. A recent report by Mandiant sheds light on two notable USB-delivered malware campaigns witnessed this year. The first campaign, dubbed “Sogu,” is linked to a Chinese espionage threat group known as “TEMP.HEX.” The second campaign, named “Snowydrive,” is attributed to UNC4698 and primarily targets oil and gas companies in Asia.
Details
In a previous instance highlighted by the cybersecurity company in November 2022, a China-related campaign exploited USB devices to infect entities in the Philippines, utilizing four distinct malware families. Furthermore, in January 2023, the Unit 42 team at Palo Alto Networks uncovered a variant of the PlugX malware capable of concealing itself within USB drives and infecting Windows hosts upon connection.
This resurgence of USB-based malware distribution signifies the re-emergence of an effective attack vector, reminding organizations of the ongoing need to remain vigilant and implement robust security measures to safeguard against such threats.
According to Mandiant”s report, Sogu currently stands out as the most aggressive USB-assisted cyber-espionage campaign, targeting multiple industries worldwide and aiming to steal data from compromised computers. The victims of Sogu malware span across various countries, including the United States, France, the UK, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia, and the Philippines. While the pharmaceutical, IT, energy, communications, health, and logistics sectors constitute the primary victims, Sogu has affected organizations across different industries. The malware utilizes a payload named “Korplug,” which loads C shellcode (Sogu) into memory using DLL order hijacking. This technique relies on tricking the victim into executing a legitimate file.
To establish persistence, Sogu creates a registry Run key and utilizes Windows Task Scheduler to ensure regular execution of its malicious activities. Furthermore, Sogu drops a batch file into the “RECYCLE.BIN” directory, which aids in system reconnaissance. This batch file scans the infected machine for MS Office documents, PDFs, and other text files that may contain valuable data. Sogu also provides support for command execution, file execution, remote desktop functionality, capturing screenshots, establishing a reverse shell, and performing keylogging. To facilitate lateral movement within a compromised network, any connected drives automatically receive a copy of Sogu”s initial compromise file, enabling further spreading of the malware. The extensive capabilities and wide-ranging impact of Sogu highlight the need for robust security measures and ongoing vigilance to protect against this highly aggressive cyber-espionage campaign.
Another concerning campaign known as Snowydrive employs a backdoor to infect computers, granting attackers the ability to execute arbitrary payloads via the Windows command prompt, modify the registry, and perform various file and directory actions. Similar to Sogu, Snowydrive relies on the victim being deceived into launching an executable that appears legitimate from a USB drive. This action triggers the extraction and execution of the malware”s components, which are stored in a folder named “Kaspersky.”
Each component within Snowydrive has specific roles, including establishing persistence on the compromised system, evading detection, dropping a backdoor, and facilitating the propagation of the malware to newly connected USB drives. The backdoor utilized in Snowydrive operates based on shellcode and is loaded into the process of “CUZ.exe,” a legitimate software used for archive unzipping. The backdoor provides support for various commands, enabling the execution of file operations, data exfiltration, reverse shell functionality, command execution, and reconnaissance activities. To evade detection, the malware utilizes a malicious DLL that is side loaded by “GUP.exe,” a legitimate Notepad++ updater. This technique helps conceal file extensions and selectively hides files marked as “system” or “hidden.” The sophisticated capabilities of Snowydrive highlight the importance of robust security measures and heightened vigilance to defend against this campaign”s malicious activities.
USB-based attacks continue to remain relevant and continue to be a trending method in 2023, as highlighted by Mandiant”s report. Despite requiring physical access to the target computers, these attacks offer unique advantages that contribute to their persistent use. One of the key advantages of USB attacks is their ability to bypass security mechanisms. USB devices can evade traditional security measures such as firewalls and network-based security solutions, allowing them to go undetected by conventional defenses. Stealth is another advantage of USB attacks. Malicious payloads delivered through USB drives can remain hidden and undetected within legitimate-looking files or disguised as normal USB devices, making them difficult to identify as threats.
USB attacks provide a means for initial access to corporate networks. By infecting a computer within an organization through a USB drive, attackers can gain a foothold within the network, potentially bypassing other security measures and extending their reach to sensitive systems and data. Moreover, USB attacks can target air-gapped systems that are isolated from unsecured networks for security reasons. These attacks enable malware to spread even to highly protected systems that do not have direct connectivity to the internet or other networks, further amplifying the potential impact.
Mandiant”s investigation points to print shops and hotels as hotspots for USB malware infections. However, due to the random and opportunistic nature of these attacks, any system with a USB port becomes a potential target, emphasizing the widespread risk posed by USB-based backdoors. As USB attacks continue to evolve, organizations must remain vigilant and implement robust security measures to mitigate the risks associated with these persistent and advantageous attack vectors.
Remediation
Keep computer systems updated with the latest security patches.
Avoid plugging any and all storage devices into your computer and ensure to always backup important data.
Install a reputable malware software from a trusted source such as Avast antivirus and run scheduled scans on all devices to keep them malware free. Security software usually comes with USB device scanning that scans a secondary storage device before running it.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: USB drive malware attacks spiking again in the first half of 2023.pdf
References
Toulas, B. (2023, July 13). USB drive malware attacks spiking again in the first half of 2023. Bleeping Computer. Retrieved from:
https://www.bleepingcomputer.com/news/security/usb-drive-malware-attacks-spiking-again-in-first-half-of-2023/
Bogna, J. (2022, January 14). Don`t Plug it in! How to Prevent a USB Attack. PCMAG. Retrieved from:
https://www.pcmag.com/how-to/dont-plug-it-in-how-to-prevent-a-usb-attack