USB drives continue to be a favorite asset of cybercriminals to launch malware. Security researchers at Mandiant reported a three-fold increase in malware attacks via USB drives to steal secrets in the first half of 2023. They have shared details of two such attack campaigns.
SOGU malware infection
The attack campaign, attributed to China-linked cyberespionage group TEMP.Hex, was deployed against public and private sector organizations across Europe, Asia, and the U.S.
It used USB flash drives to load the SOGU malware and steal sensitive data from a host.
The flash drive contained multiple malicious software and used a DLL hijacking technique to download the final payload in the memory of compromised systems.
Once executed, SOGU malware captured screenshots, recorded keystrokes, conducted reverse shell, and established remote desktop connections for the execution of additional files.
The stolen data was exfiltrated via a custom binary protocol over TCP or UDP or ICMP to the C2 server.
The attack targeted a variety of industries including those in construction, engineering, government, manufacturing, retail, media, and pharmaceutical.
SNOWYDRIVE malware infection
In this attack, the victim is lured to click on a file that appears to be a legitimate executable found in the root folder of the USB drive.
Upon executing the file, an infection chain is triggered that causes the download of a shellcode-based backdoor named SNOWYDRIVE.
The malware copies itself to removable drives that are plugged into an infected system, in addition to performing a wide range of other operations such as writing or deleting files, initiating file upload, and executing a reverse shell command.
Prevalence of BadUSB attacks
Recently Check Point Research Team documented a new USB-based attack campaign attributed to China-based Camaro Dragon, targeting a healthcare institution in Europe. The attack deployed several updated versions of the malware toolset, including WispRider and HopperTick.
It was further reported that Camaro Dragon effectively employed USB drives to launch attacks across Myanmar, South Korea, Great Britain, India, and Russia.
Summing up
Organizations are urged to prioritize access restrictions on USB devices or conduct thorough scans for malicious files before connecting them to the network. Furthermore, it is crucial for organizations to have greater visibility into such attack campaigns to thwart threats at the initial stage. This can be achieved through a robust and automated TIP that ensures tactical and technical details of an attack in real-time.