The Spies Who Loved You: Infected USB Drives to Steal Secrets
Mandiant
Written by: Rommel Joven, Ng Choon Kiat
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense:
- SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.
Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
- SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.
Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
Managed Defense first observed this campaign while hunting for suspicious file write events in common directories that threat actors use for their malware, tools, or utilities.
Figure 1: Geographic distribution of TEMP.HEX victims
Figure 2: Managed Defense investigation breakdown by industry
The Initial Infection
An infected USB flash drive is the initial infection vector. The flash drive contains multiple malicious software that is designed to load a malicious payload in memory through DLL hijacking.
Figure 3: Attacker lifecycle
Established Foothold
The entire infection chain usually consists of three files: a legitimate executable, a malicious DLL loader, and an encrypted payload. Table 1 shows the commonly observed malware file paths and file names observed throughout the campaign.
When the legitimate executable is run, it will side-load a malicious DLL file, which we tracked as KORPLUG. The KORPLUG malware will then load a decrypted shellcode, commonly observed in the form of a .dat file, and execute it in memory. The shellcode is commonly observed as a backdoor that Mandiant tracked as SOGU, a backdoor written in C.
Reconnaissance and Data Staging
The infection continues by dropping a batch file onto the RECYCLE.BIN file path. The batch file runs host reconnaissance commands and outputs the results to a file named c3lzLmluZm8. When decoded from Base64, the file name c3lzLmluZm8 is “sys.info”. The following commands to gather specific system metadata are executed:
- tasklist /v
- arp -a
- netstat -ano
- ipconfig /all
- systeminfo
Subsequently, the malware searches the C drive for files with the following extensions: .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf. It encrypts a copy of each file, encodes the original filenames using Base64, and drops the encrypted files in the following directories:
- C:\Users\<user>\AppData\Roaming\Intel\<SOGU CLSID>\<filename in Base64>
- <drive>:\RECYCLER.BIN\<SOGU CLSID>\<filename in Base64>
Maintain Presence
To maintain its persistence on the system, the malware creates a directory that masquerades as a legitimate program and sets the directory's attribute to hidden. It then copies its main components to this directory, with the following commonly used file paths:
- C:\ProgramData\AvastSvcpCP
- C:\ProgramData\AAM UpdatesHtA
- C:\ProgramData\AcroRd32cWP
- C:\ProgramData\Smadav\SmadavNSK
Then, it creates a Run registry key with the same name as the directory created earlier. The Run registry keys are used to run programs automatically when a user logs on. The following are the commonly observed Run registry key entries.
- Value: AvastSvcpCP
- Text: C:\ProgramData\AvastSvcpCP\AvastSvc.exe
- Value: AAM UpdatesHtA
- Text: C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe
- Value: AcroRd32cWP
- Text: C:\ProgramData\AcroRd32cWP\AcroRd32.exe
- Value: SmadavNSK
- Text: C:\ProgramData\Smadav\SmadavNSK\Smadav.exe
In some SOGU variants, an additional scheduled task may be created to run the malware every 10 minutes to maintain persistence.
- SCHTASKS.exe /create /sc minute /mo 10 /tn "Autodesk plugin" /tr """"C:\ProgramData\Smadav\SmadavNSK\Smadav.exe""" 644" /f
Complete Mission
At the last stage of the attack lifecycle, the malware will exfiltrate any data that has been staged. The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its command and control server. The malware was also found to support a wide range of commands, including file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging.
The malware can also copy onto new removable drives plugged into an infected system. This allows the malicious payloads to spread to other systems and potentially collect data from air-gapped systems.
Mandiant tracks this event as Campaign 22-054.
SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
Managed Defense first observed this campaign while hunting Windows Explorer process execution with a suspicious folder path (e.g., “F:\”) specified on the command line. This behavior is commonly observed when a user is tricked into executing malware on USB drives. While this type of threat is not uncommon, Mandiant's relentless research and pursuit of every attack led to the discovery of yet another espionage campaign that uses USB drives to spread malware.
The Initial Infection
An infected USB flash drive is the initial infection vector. The victim is lured to click on a malicious file that is masquerading as a legitimate executable. Upon executing the malicious file, it triggers a chain of malicious executions, each designed to perform its specific task throughout the attacker's lifecycle.
Figure 4: Attacker lifecycle
Established Foothold
The infection chain typically starts with an executable that serves as a dropper. The dropper is responsible for writing malicious files to disk and launching them. In one instance, a dropper named USB Drive.exe wrote the following encrypted files to C:\Users\Public\SymantecsThorvices\Data:
- aweu23jj46jm7dc
- bjca3a0e2sfbs
- asdigasur3ase
- sf33kasliaeae
- sf24acvywsake
The encrypted files contain executables and DLLs that are extracted and written in the directory C:\Users\Public\SymantecsThorvices\Bin.
These files can be broken down into four components, each consisting of a legitimate executable and a malicious DLL that is loaded via DLL search order hijacking. As shown in Figure 5, each component is responsible for a task within the attack lifecycle.
Figure 5: Components and the execution chain of this campaign
Command and Control
The shellcode-based backdoor named SNOWYDRIVE generates a unique identifier based on the system name, username, and volume serial number. This identifier serves as a unique ID when communicating to its command and control (C2) server. The C2 domain is usually found hard-coded in the shellcode.
Figure 6: Hard-coded domain observed in a SNOWYDRIVE variant
The backdoor supports the following commands:
Maintain Presence
The registry value HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba is used for persistence. It stores the path of Silverlight.Configuration.exe.
Lateral Movement
The malware copies itself to removable drives that are plugged into an infected system. It creates the folder “<drive_root>\Kaspersky\Usb Drive\3.0” on the removable drive and copies the encrypted files that contain the malicious components. An executable is extracted from the file “aweu23jj46jm7dc” and written to <drive_root>\<volume_name> .exe, which is responsible for extracting and executing the content of the encrypted files.
Outlook and Implications
Mandiant's investigation and research identified local print shops and hotels as potential hotspots for infection. While some threat actors targeted specific industries or regions, Campaign 22-054 appears to be more opportunistic in nature. This campaign may be part of a long-term collection objective or a later-stage follow-up for subjects of interest to state-sponsored threat actors.
Organizations should prioritize implementing restrictions on access to external devices such as USB drives. If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal networks.
YARA Rules
SOGU
SOGU is a backdoor written in C. The network protocol varies between samples and may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP. Supported commands include file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging.
rule M_Code_SOGU
{
meta:
author = "Mandiant"
description = "Hunting rule for SOGU"
sha256 = "8088b1b1fabd07798934ed3349edc468062b166d5413e59e78216e69e7ba58ab"
strings:
$sb1 = { 8B [2] C7 ?? 01 03 19 20 8B [2] C7 ?? 04 01 10 00 00 8B [2] C7 ?? 08 00 00 00 00 8B [2] C7 ?? 0C 00 00 00 00 0F B7 }
$sb2 = { 8B ?? 0C C7 ?? 01 03 19 20 8B ?? 0C C7 ?? 04 00 10 00 00 6A 40 E8 [4] 83 C4 04 8B ?? 0C 89 ?? 08 8B ?? 0C C7 ?? 0C 00 00 00 00 C7 [2] 00 00 00 00 EB 09 8B [2] 83 ?? 01 89 [2] 8B ?? 0C 8B [2] 3? ?? 08 7? ?? 68 FF 00 00 00 E8 [4] 83 C4 04 8B [2] 03 [2] 88 ?? 10 EB D4 }
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
}
FROZENHILL
FROZENHILL is a launcher written in C++ that is configured to utilize existing files for execution and also infects newly attached storage volumes with additional malware.
rule M_Code_FROZENHILL
{
meta:
author = "Mandiant"
description = "Hunting rule for FROZENHILL"
sha256 = "89558b4190abcdc1a2353eda591901df3bb8856758f366291df85c5345837448"
strings:
$str1 = "path_symantec" ascii
$str2 = "symantec_dir" ascii
$str3 = "name_svchost" ascii
$str4 = "run_cmd" ascii
$str5 = "usb_dll_name" ascii
$str6 = "name_mutex" ascii
$str7 = "cmd /c \"%s\" %d" wide
$str8 = { 8B 85 [4] 83 ?? 01 89 85 [4] 8B 85 [4] 3B 45 0C 74 ?? 8B 45 ?? 03 85 [4] 0F B6 08 33 8D [4] 81 E1 [4] 8B 95 [4] C1 EA ?? 33 94 8D [4] 89 95 [4] EB }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}
ZIPZAG
ZIPZAG is an in-memory dropper written in C++ that is configured to overwrite portions of the loading process with shellcode and transfer execution back to the process for execution.
rule M_Code_ZIPZAG
{
meta:
author = "Mandiant"
description = "Hunting rule for ZIPZAG"
sha256 = "8a968a91c78916a0bb32955cbedc71a79b06a21789cab8b05a037c8f2105e0aa"
strings:
$str1 = { C6 45 ?? 55 C6 45 ?? 8B C6 45 ?? EC C6 45 ?? 81 C6 45 ?? EC C6 45 ?? 08 C6 45 ?? 01 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? C7 C6 45 ?? 45 C6 45 ?? FC C6 45 ?? 78 C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? 68 C6 45 ?? 04 C6 45 ?? 01 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 8D C6 45 ?? 85 C6 45 ?? F8 C6 45 ?? FE C6 45 ?? FF C6 45 ?? FF C6 45 ?? 50 C6 45 ?? FF C6 45 ?? 75 C6 45 ?? FC C6 45 ?? B8 C6 45 ?? 79 C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? FF C6 45 ?? D0 C6 45 ?? FF C6 45 ?? 75 C6 45 ?? FC C6 45 ?? B8 C6 45 ?? 7A C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? FF C6 45 ?? D0 C6 45 ?? 8D C6 45 ?? 85 C6 45 ?? F8 C6 45 ?? FE C6 45 ?? FF C6 45 ?? FF C6 45 ?? 50 C6 45 ?? B8 C6 45 ?? 7B C6 45 ?? 56 C6 45 ?? 34 C6 45 ?? 12 C6 45 ?? FF C6 45 ?? D0 C6 45 ?? C9 C6 45 ?? C3 }
$str2 = "shellcode_size" ascii
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}
SNOWYDRIVE
SNOWYDRIVE is a shellcode-based backdoor that communicates via a custom binary protocol over TCP. Supported commands include reverse shell creation, file transfer, file deletion, and disk enumeration.
Indicators of Compromise
About Managed Defense Hunting
Cyber security hunting missions are a way to look for security breaches that bypass an organization's security controls. Managed Defense hunting missions based on Mandiant’s real-time intelligence mapped to the MITRE ATT&CK framework.
Find out more about Managed Defense.
About Threat Campaigns
Greater visibility into attacker operations: Threat Campaigns provides you with detailed information about active campaigns, including the tactics, techniques, and infrastructure used by attackers. This information can help you identify new threats and vulnerabilities, and prioritize your defensive actions.
Find out more about Threat Campaigns.
Mandiant Security Validation Actions
Mandiant Advantage Security Validation can automate the following process to give you real data on how your security controls are performing against these threats.
The following table is a subset of MSV actions for one of the malware variants. Find out more about Mandiant Security Validation.
Acknowledgements
This blog post is dedicated to the analysts in the Managed Defense team for their tireless work to develop new ways in defending our clients around the clock.
Special thanks to Matt Williams for his assistance in analyzing the malware samples and Matthew Hoerger and Lexie Aytes for creating the Mandiant Security Validation (MSV) actions. Martin Co for his inputs and review of this blog post.