Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Attackers Using USB Malware to Steal Data From Air-Gapped Networks

Cyber Espionage Group Uses USB Malware to Steal Data From Closed Networks

Researchers from security firm ESET have analyzed a malicious tool used by a notorious cyber espionage group to steal valuable information from air-gapped networks.

Cyber Espionage Group Uses USB Malware to Steal Data From Closed Networks

Researchers from security firm ESET have analyzed a malicious tool used by a notorious cyber espionage group to steal valuable information from air-gapped networks.

Isolating a sensitive computer network from the Internet can be an efficient security measure, but threat actors have found ways to get around it. A group believed to be linked to the Russian government, know as “Sednit,” “APT28” and “Sofacy,” appears to have developed the tools necessary to achieve this task.

In a recent report on the attacks launched by APT28 against European governments, militaries and security organizations, FireEye revealed that one of the tools used by the group is a modular family of implants called CHOPSTICK. Researchers identified one variant of CHOPSTICK that defeats closed networks by routing messages between local directories, the registry and USB drives.

One such tool used by the threat group was analyzed by ESET. Dubbed Win32/USBStealer, the malware has been used since at least 2005 in campaigns against government organizations in Eastern Europe, researchers said. There are several variants of this threat, but the security firm has focused on analyzing the most sophisticated one.

According to ESET, the USBStealer dropper initially infects a computer within the targeted organization that’s connected to the Internet (Computer A). The dropper is disguised as a legitimate Russian application called USB Disk Security.

The dropper monitors the infected device for removable drives. When a removable drive is detected, the malware is copied onto it, and its Autorun file is modified so that USBStealer is executed when the drive is inserted on a different computer. In this phase, the malware also marks the USB drive as having been used on a machine with an Internet connection.

Once the infected drive is connected to an air-gapped computer (Computer B), the malware is transferred onto it. The machine’s name is registered on the removable drive, a process which enables the attackers to map the devices they can reach.

Advertisement. Scroll to continue reading.

The attack only works if Autorun is enabled on the targeted computer. The feature was deactivated by Microsoft in 2009 with the release of a Windows update, but experts say the method could still work considering that air-gapped devices are in many cases out of date due to the lack of an Internet connection.

When the USB drive is once again connected to Computer A, the malware operator drops a series of data exfiltration commands onto it. These commands will be executed as soon as the drive is connected again to Computer B.

The malware is interested in files used by cryptographic applications, and files that appear to be associated with private software. The threat searches for files of interest everywhere on the infected machine, but it avoids folders created by various antiviruses.

Once the stolen files are transferred back to Computer A, the attackers need to use a different piece of malware to copy the data to their own servers because USBStealer doesn’t have such capabilities, ESET noted.

Researchers say it’s uncertain how the initial infection occurs, but a likely attack vector is spear phishing. FireEye has identified a spear phishing campaign that uses the USB Disk Security application as a lure.

Related“AirHopper” Malware Uses Radio Signals to Steal Data from Isolated Computers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...