A recent report by cybersecurity firm Mandiant highlights the growing threat of cyber-espionage campaigns that are using infected USB drives to target organizations across various sectors and regions. These campaigns serve as a reminder for security teams to implement strict restrictions on accessing external devices like USB drives, which can serve as a gateway for malware and sensitive data theft.
One of the campaigns discovered by Mandiant involves a China-linked threat actor known as TEMP.Hex. This threat actor is utilizing USB flash drives to load malware, named “Sogu,” onto host systems, allowing them to steal sensitive information. Once the malware infects a system, it can copy itself to any removable drive that is connected to the compromised host. This capability enables the attacker to spread the payload to other systems, potentially including air-gapped systems that are isolated from external networks. The primary motive behind this campaign is believed to be the collection of information with economic and national security relevance to China. The sectors most at risk from this campaign include engineering, construction, government, transportation, health, and business services.
Mandiant researchers also discovered another major cyber campaign involving infected USB drives. This campaign, attributed to a threat actor known as UNC4698, uses malware called “SnowyDrive” to create a backdoor on infected systems. This backdoor allows the attacker to remotely interact with the compromised device and issue commands. The organizations targeted by this campaign are primarily oil and gas companies in Asia.
According to Mandiant, there has been a significant increase in attacks involving USB drives in the first half of 2023. While the exact reason behind this surge remains unclear, it serves as a warning for organizations to recognize the potential risks associated with these devices. Although attacks involving infected USB drives are relatively uncommon compared to other cyberattack methods, several instances have been reported where threat actors, including large professional groups, have effectively employed this tactic.
The Sogu and SnowyDrive campaigns are not isolated incidents. Mandiant and other researchers have observed similar attacks in the past. In December, Mandiant reported on another China-linked threat actor, UNC4191, using infected USB drives to deploy four different malware families on infected systems. The victims in that campaign included both public and private sector organizations in Southeast Asia and other regions.
In another incident investigated by Check Point, a China-nexus threat actor named “Camaro Dragon” gained access to a hospital network through an infected USB drive and deployed self-propagating malware to steal data. The financially motivated FIN7 group also attracted attention when they sent ransomware-loaded USB drives disguised as coming from the US Department of Health and Human Services to targets in sectors like defense and transportation.
To combat the threat posed by these campaigns, organizations are advised to prioritize implementing restrictions on accessing external devices like USB drives. If restricting access is not possible, Mandiant advises scanning these devices for any malicious files or code before connecting them to internal networks.
The Sogu and SnowyDrive campaigns demonstrate the sophisticated techniques employed by threat actors to exploit USB drives and gain access to sensitive information. Users must be cautious about picking up rogue USB drives and inserting them into their systems, as this action can initiate the infection process. Places like hotels and local print shops are potential hotspots for infection, as business travelers may be more vulnerable to such attacks.
In the case of the Sogu campaign, the infected USB flash drive loads three files when connected to a host system, including a legitimate executable, a malicious dynamic link library (DLL) loader, and an encrypted payload. The legitimate executable sideloads a malicious DLL file, Korplug, which decrypts and loads the Sogu backdoor into memory. The malware then collects system metadata, searches for specific file extensions, stages retrieved information, exfiltrates data, and maintains a presence on the infected system.
SnowyDrive, on the other hand, requires the user to click on a malicious executable after inserting the USB drive. This executable serves as a dropper for multiple encrypted malicious files containing executables and DLLs. One of these files is the SnowyDrive backdoor, which supports various commands such as file manipulation, remote desktop access, and keylogging. The malware communicates with a command-and-control server that is hardcoded into the shellcode.
As cyber-espionage campaigns increasingly leverage USB drives as an attack vector, organizations must remain vigilant and adopt effective security measures. Restricting access to external devices and implementing robust scanning protocols can help mitigate the risks associated with these attacks. With the threat landscape evolving continuously, staying proactive and informed is crucial to safeguarding sensitive information and maintaining robust cybersecurity defenses.