Two ongoing cyber-espionage campaigns targeting organizations across multiple industries and regions demonstrate the importance for security teams of restricting access to USB drives and other external devices on employee systems.
In one of the campaigns, a China-linked threat actor tracked as TEMP.Hex is using USB flash drives to load malware for stealing sensitive information from host systems. Once on a system, the malware, dubbed "Sogu," can copy itself to any removable drive that's plugged in to the infected host, thereby giving the attacker a way to spread the payload to other systems, including, potentially, air-gapped systems.
Researchers from Mandiant recently discovered the threat and believe that TEMP.Hex is using Sogu to collect information that has economic and national security interest to China. The security vendor has assessed the campaign as posing a threat to organizations across multiple sectors, particularly in engineering, construction, government, transportation, health, and business services.
Mandiant researchers said a threat actor that it's tracking as UNC4698 is responsible for another major ongoing cyber campaign, also using infected USB drives to drop malware on victim systems. The malware in this campaign, dubbed "SnowyDrive," creates a backdoor on the systems it infects, so the cyberattacker has a way to remotely interact with the device and issue commands. The organizations that are in UNC4698's crosshairs for this campaign are oil and gas organizations in Asia.
According to Mandiant, there's been a threefold increase in attacks involving USB drives in the first half of 2023, though the immediate impetus for the sudden surge remains unclear. Though incidents involving poisoned USB drives remain somewhat rare relative to other cyberattack vectors, there have been several instances where threat actors — including large professional groups — have employed the tactic.
USB-Deployed Malware Resurges
Sogu and SnowyDrive are just two malware tools that Mandiant researchers — and others — have recently observed threat actors deploying via infected USB flash drives. In December, Mandiant reported on another China-linked threat actor, UNC4191, that was deploying four separate malware families on infected systems via USB drives. The victims in that campaign included public and private sector organizations in Southeast Asia and, to a lesser extent, in the US, Europe, and the Asia-Pacific region.
In June, Check Point described an incident it had recently investigated where a China-nexus threat actor dubbed "Camaro Dragon" (aka Mustang Panda) gained access to a hospital network via an infected USB drive and deployed self-propagating malware for stealing data.
And the notorious, financially motivated FIN7 group (aka Carbanak) last year attracted the FBI's attention when it sent ransomware-loaded USBs — disguised to appear like they were from the US Department of Health and Human Services — to targets in the US defense, transportation, and other sectors.
"Organizations should prioritize implementing restrictions on access to external devices such as USB drivers," Mandiant researchers Rommel Joven and NG Choon Kiat wrote in the recent post. "If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal networks."
USB Malware: Engineered to Steal
Like all USB-based attacks, the Sogu and SnowyDrive campaigns depend on users picking up a rogue USB, inserting it into their system, and following through on subsequent prompts. Mandiant's report identified hotels and local print shops as potential hotspots for infection, where targets might be on business trips and less vigilant about security.
With the Sogu campaign, the weaponized USB flash drive initially loads three files when a user inserts the device into a host system: a legitimate executable, a malicious dynamic link library (DLL) loader, and an encrypted payload. When executed, the legitimate executable — typically, security software such as Symantec or Avast — sideloads "Korplug," a malicious DLL file, which then decrypts and loads the Sogu backdoor in memory. Subsequent steps in the infection chain include the malware gathering specific system metadata, searching the C drive for files with .docx, .doc, .ppt, .pdf, and other extensions. The malware also executes separate steps to stage all the information that it retrieves, exfiltrate the data, and finally to maintain it presence on an infected system.
"The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its command-and-control server," Mandiant said. "The malware was also found to support a wide range of commands, including file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging."
With SnowyDrive, after the USB is inserted into a system, the user has to click on a malicious executable that is spoofed to look like a legitimate file. The executable serves as a dropper that writes multiple encrypted malicious files to disk, each of which contain executables and DLLs. One of them is SnowyDrive, a shellcode-based backdoor that contains a long list of commands. These include commands to create, write, or delete files; initial file uploads; create cmd.exe reverse shell; list drives; and start file/directory search. The malware communicates with a command-and-control server whose domain is hard coded into the shellcode.