The Spies Who Loved You: Infected USB Drives to Steal Secrets

Written by: Rommel Joven, Ng Choon Kiat

In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.

Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense:

• SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
  
  This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.
  
  Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
   
• SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
  
  This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.
  
  Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.

SOGU Malware Infection via USB Flash Drives Across Industries and Geographies

Managed Defense first observed this campaign while hunting for suspicious file write events in common directories that threat actors use for their malware, tools, or utilities.

The Initial Infection

An infected USB flash drive is the initial infection vector. The flash drive contains multiple malicious software that is designed to load a malicious payload in memory through DLL hijacking.

Established Foothold

The entire infection chain usually consists of three files: a legitimate executable, a malicious DLL loader, and an encrypted payload. Table 1 shows the commonly observed malware file paths and file names observed throughout the campaign.

When the legitimate executable is run, it will side-load a malicious DLL file, which we tracked as KORPLUG. The KORPLUG malware will then load a decrypted shellcode, commonly observed in the form of a .dat file, and execute it in memory. The shellcode is commonly observed as a backdoor that Mandiant tracked as SOGU, a backdoor written in C.

Reconnaissance and Data Staging

The infection continues by dropping a batch file onto the RECYCLE.BIN file path. The batch file runs host reconnaissance commands and outputs the results to a file named c3lzLmluZm8. When decoded from Base64, the file name c3lzLmluZm8 is “sys.info”. The following commands to gather specific system metadata are executed:

• tasklist /v 
• arp -a 
• netstat -ano 
• ipconfig /all 
• systeminfo

Subsequently, the malware searches the C drive for files with the following extensions: .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf. It encrypts a copy of each file, encodes the original filenames using Base64, and drops the encrypted files in the following directories:

• C:\Users\<user>\AppData\Roaming\Intel\<SOGU CLSID>\<filename in Base64>
• <drive>:\RECYCLER.BIN\<SOGU CLSID>\<filename in Base64>

Maintain Presence

To maintain its persistence on the system, the malware creates a directory that masquerades as a legitimate program and sets the directory's attribute to hidden. It then copies its main components to this directory, with the following commonly used file paths:

• C:\ProgramData\AvastSvcpCP
• C:\ProgramData\AAM UpdatesHtA
• C:\ProgramData\AcroRd32cWP
• C:\ProgramData\Smadav\SmadavNSK

Then, it creates a Run registry key with the same name as the directory created earlier. The Run registry keys are used to run programs automatically when a user logs on. The following are the commonly observed Run registry key entries.

• Value: AvastSvcpCP 
• Text: C:\ProgramData\AvastSvcpCP\AvastSvc.exe
• Value: AAM UpdatesHtA 
• Text: C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe
• Value: AcroRd32cWP
• Text: C:\ProgramData\AcroRd32cWP\AcroRd32.exe
• Value: SmadavNSK
• Text: C:\ProgramData\Smadav\SmadavNSK\Smadav.exe

In some SOGU variants, an additional scheduled task may be created to run the malware every 10 minutes to maintain persistence.

• SCHTASKS.exe /create /sc minute /mo 10 /tn "Autodesk plugin" /tr """"C:\ProgramData\Smadav\SmadavNSK\Smadav.exe""" 644" /f

Complete Mission

At the last stage of the attack lifecycle, the malware will exfiltrate any data that has been staged. The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its command and control server. The malware was also found to support a wide range of commands, including file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging.

The malware can also copy onto new removable drives plugged into an infected system. This allows the malicious payloads to spread to other systems and potentially collect data from air-gapped systems.

Mandiant tracks this event as Campaign 22-054.

SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia

Managed Defense first observed this campaign while hunting Windows Explorer process execution with a suspicious folder path (e.g., “F:\”) specified on the command line. This behavior is commonly observed when a user is tricked into executing malware on USB drives. While this type of threat is not uncommon, Mandiant's relentless research and pursuit of every attack led to the discovery of yet another espionage campaign that uses USB drives to spread malware.

The Initial Infection

An infected USB flash drive is the initial infection vector. The victim is lured to click on a malicious file that is masquerading as a legitimate executable. Upon executing the malicious file, it triggers a chain of malicious executions, each designed to perform its specific task throughout the attacker's lifecycle.

Established Foothold

The infection chain typically starts with an executable that serves as a dropper. The dropper is responsible for writing malicious files to disk and launching them. In one instance, a dropper named USB Drive.exe wrote the following encrypted files to C:\Users\Public\SymantecsThorvices\Data:

• aweu23jj46jm7dc 
• bjca3a0e2sfbs 
• asdigasur3ase 
• sf33kasliaeae 
• sf24acvywsake

The encrypted files contain executables and DLLs that are extracted and written in the directory C:\Users\Public\SymantecsThorvices\Bin.

These files can be broken down into four components, each consisting of a legitimate executable and a malicious DLL that is loaded via DLL search order hijacking. As shown in Figure 5, each component is responsible for a task within the attack lifecycle.

Command and Control

The shellcode-based backdoor named SNOWYDRIVE generates a unique identifier based on the system name, username, and volume serial number. This identifier serves as a unique ID when communicating to its command and control (C2) server. The C2 domain is usually found hard-coded in the shellcode.

 The backdoor supports the following commands:

Maintain Presence

The registry value HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba is used for persistence. It stores the path of Silverlight.Configuration.exe.

Lateral Movement

The malware copies itself to removable drives that are plugged into an infected system. It creates the folder “<drive_root>\Kaspersky\Usb Drive\3.0” on the removable drive and copies the encrypted files that contain the malicious components. An executable is extracted from the file “aweu23jj46jm7dc” and written to <drive_root>\<volume_name> .exe, which is responsible for extracting and executing the content of  the encrypted files.

Outlook and Implications

Mandiant's investigation and research identified local print shops and hotels as potential hotspots for infection. While some threat actors targeted specific industries or regions, Campaign 22-054 appears to be more opportunistic in nature. This campaign may be part of a long-term collection objective or a later-stage follow-up for subjects of interest to state-sponsored threat actors.

Organizations should prioritize implementing restrictions on access to external devices such as USB drives. If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal networks.

YARA Rules

SOGU

SOGU is a backdoor written in C. The network protocol varies between samples and may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP. Supported commands include file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging.

rule M_Code_SOGU
{
    meta:
        author = "Mandiant"
        description = "Hunting rule for SOGU"
        sha256 = "8088b1b1fabd07798934ed3349edc468062b166d5413e59e78216e69e7ba58ab"

    strings:
        $sb1 = { 8B [2] C7 ?? 01 03 19 20 8B [2] C7 ?? 04 01 10 00 00 8B [2] C7 ?? 08 00 00 00 00 8B [2] C7 ?? 0C 00 00 00 00 0F B7 }
        $sb2 = { 8B ?? 0C C7 ?? 01 03 19 20 8B ?? 0C C7 ?? 04 00 10 00 00 6A 40 E8 [4] 83 C4 04 8B ?? 0C 89 ?? 08 8B ?? 0C C7 ?? 0C 00 00 00 00 C7 [2] 00 00 00 00 EB 09 8B [2] 83 ?? 01 89 [2] 8B ?? 0C 8B [2] 3? ?? 08 7? ?? 68 FF 00 00 00 E8 [4] 83 C4 04 8B [2] 03 [2] 88 ?? 10 EB D4 }

    condition:
        (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
}

FROZENHILL

FROZENHILL is a launcher written in C++ that is configured to utilize existing files for execution and also infects newly attached storage volumes with additional malware.

rule M_Code_FROZENHILL 
{
    meta:
        author = "Mandiant"
        description = "Hunting rule for FROZENHILL"
        sha256 = "89558b4190abcdc1a2353eda591901df3bb8856758f366291df85c5345837448"

    strings:
        $str1 = "path_symantec" ascii
        $str2 = "symantec_dir" ascii
        $str3 = "name_svchost" ascii
        $str4 = "run_cmd" ascii
        $str5 = "usb_dll_name" ascii
        $str6 = "name_mutex" ascii
        $str7 = "cmd /c \"%s\" %d" wide
        $str8 = { 8B 85 [4] 83 ?? 01 89 85 [4] 8B 85 [4] 3B 45 0C 74 ?? 8B 45 ?? 03 85 [4] 0F B6 08 33 8D [4] 81 E1 [4] 8B 95 [4] C1 EA ?? 33 94 8D [4] 89 95 [4] EB } 

    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}

ZIPZAG

ZIPZAG is an in-memory dropper written in C++ that is configured to overwrite portions of the loading process with shellcode and transfer execution back to the process for execution.

rule M_Code_ZIPZAG
{
    meta:
        author = "Mandiant"
        description = "Hunting rule for ZIPZAG"
        sha256 = "8a968a91c78916a0bb32955cbedc71a79b06a21789cab8b05a037c8f2105e0aa"
    strings:
        $str1 = { C6 45 ?? 55 C6 45 ?? 8B C6 45 ?? EC C6 45 ?? 81 C6 45 ?? EC C6 45 ?? 08 C6 45 ?? 01 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? C7 C6 45 ?? 45 C6 45 ?? FC C6 45 ?? 78 C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? 68 C6 45 ?? 04 C6 45 ?? 01 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 8D C6 45 ?? 85 C6 45 ?? F8 C6 45 ?? FE C6 45 ?? FF C6 45 ?? FF C6 45 ?? 50 C6 45 ?? FF C6 45 ?? 75 C6 45 ?? FC C6 45 ?? B8 C6 45 ?? 79 C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? FF C6 45 ?? D0 C6 45 ?? FF C6 45 ?? 75 C6 45 ?? FC C6 45 ?? B8 C6 45 ?? 7A C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? FF C6 45 ?? D0 C6 45 ?? 8D C6 45 ?? 85 C6 45 ?? F8 C6 45 ?? FE C6 45 ?? FF C6 45 ?? FF C6 45 ?? 50 C6 45 ?? B8 C6 45 ?? 7B C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? FF C6 45 ?? D0 C6 45 ?? C9 C6 45 ?? C3 } 
        $str2 = "shellcode_size" ascii

    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}

SNOWYDRIVE

SNOWYDRIVE is a shellcode-based backdoor that communicates via a custom binary protocol over TCP. Supported commands include reverse shell creation, file transfer, file deletion, and disk enumeration.

rule M_Code_SNOWYDRIVE
{
    meta:
        author = "Mandiant"
        description = "Hunting rule for SNOWYDRIVE"
        sha256 = "964c380bc6ffe313e548336c9dfaabbd01a5519e8635adde42eedb7e1187c0b3"

    strings:
        $str1 = { C6 45 ?? 6B C6 45 ?? 65 C6 45 ?? 72 C6 45 ?? 6E C6 45 ?? 65 C6 45 ?? 6C C6 45 ?? 33 C6 45 ?? 32 C6 45 ?? 2E C6 45 ?? 64 C6 45 ?? 6C C6 45 ?? 6C } 
        $str2 = { C6 45 ?? 47 C6 45 ?? 65 C6 45 ?? 74 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F C6 45 ?? 63 C6 45 ?? 41 C6 45 ?? 64 C6 45 ?? 64 C6 45 ?? 72 C6 45 ?? 65 C6 45 ?? 73 C6 45 ?? 73 } 
        $str3 = { C6 85 ?? FD FF FF 4C C6 85 ?? FD FF FF 6F C6 85 ?? FD FF FF 61 C6 85 ?? FD FF FF 64 C6 85 ?? FD FF FF 4C C6 85 ?? FD FF FF 69 C6 85 ?? FD FF FF 62 C6 85 ?? FD FF FF 72 C6 85 ?? FD FF FF 61 C6 85 ?? FD FF FF 72 C6 85 ?? FD FF FF 79 C6 85 ?? FD FF FF 41 } 
        $str4 = { C6 85 ?? FC FF FF 57 C6 85 ?? FC FF FF 61 C6 85 ?? FC FF FF 69 C6 85 ?? FC FF FF 74 C6 85 ?? FC FF FF 46 C6 85 ?? FC FF FF 6F C6 85 ?? FC FF FF 72 C6 85 ?? FC FF FF 53 C6 85 ?? FD FF FF 69 C6 85 ?? FD FF FF 6E C6 85 ?? FD FF FF 67 C6 85 ?? FD FF FF 6C C6 85 ?? FD FF FF 65 C6 85 ?? FD FF FF 4F C6 85 ?? FD FF FF 62 C6 85 ?? FD FF FF 6A C6 85 ?? FD FF FF 65 C6 85 ?? FD FF FF 63 } 

    condition:
        uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE and all of them
}

rule hunting_T1091_User Execution: Malicious File
{
  meta:

    rule_name = "Replication Through Removable Media"
    description = "This rule detects a file write event from a RECYCLER/S named path to another directory"
author = "Mandiant Managed Defense"
    mitre_technique_name = "User Execution: Malicious File"
    mitre_technique = "T1204"
    mitre_tactic_name = "Execution"
    platform = "Windows"
 
  events:   
       $e.target.process.path = ":\RECYCLER.BIN\" nocase or
       $e.target.process.path = ":\RECYCLERS.BIN\" nocase
    }

    condition:
        $e
}

rule hunting_T1091_Replication_Through_Removable_Media
{
  meta:
    rule_name = "Replication Through Removable Media"
    description = "This rule detects windows explorer process execution with a suspicious folder path specified on the command line"
author = "Mandiant Managed Defense"
    mitre_technique_name = "Replication Through Removable Media"
    mitre_technique = "T1091"
    mitre_tactic_name = "Lateral Movement,Initial Access"
    platform = "Windows"

  events:
    $e.target.process = "explorer.exe" and
    {
      re.regex($e.principal.process.command_line, = `/explorer.exe?(\")?\s+(\")?[A-BD-Za-bd-z]:\\/`) nocase and
      re.regex($e.principal.process.full_path, `:\\[^\\]+\.exe$`) nocase
    }

    condition:
        $e
}

Indicators of Compromise

About Managed Defense Hunting 

Cyber security hunting missions are a way to look for security breaches that bypass an organization's security controls. Managed Defense hunting missions based on Mandiant’s real-time intelligence mapped to the MITRE ATT&CK framework.

Find out more about Managed Defense.

About Threat Campaigns

Greater visibility into attacker operations: Threat Campaigns provides you with detailed information about active campaigns, including the tactics, techniques, and infrastructure used by attackers. This information can help you identify new threats and vulnerabilities, and prioritize your defensive actions.

Find out more about Threat Campaigns.

Mandiant Security Validation Actions

Mandiant Advantage Security Validation can automate the following process to give you real data on how your security controls are performing against these threats.

The following table is a subset of MSV actions for one of the malware variants. Find out more about Mandiant Security Validation.

Acknowledgements

This blog post is dedicated to the analysts in the Managed Defense team for their tireless work to develop new ways in defending our clients around the clock.

Special thanks to Matt Williams for his assistance in analyzing the malware samples and Matthew Hoerger and Lexie Aytes for creating the Mandiant Security Validation (MSV) actions. Martin Co for his inputs and review of this blog post.