Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

17 Malware Frameworks Target Air-Gapped Systems for Espionage

An analysis of 17 espionage frameworks designed to target air-gapped networks shows that all of them leverage USB drives and all target Windows exclusively, ESET reports.

An analysis of 17 espionage frameworks designed to target air-gapped networks shows that all of them leverage USB drives and all target Windows exclusively, ESET reports.

The list was created over the course of 15 years, but the last four of the frameworks emerged last year, proof of an increased interest by threat actors to target isolated systems. Only malware components working together to create an offline, covert communication channel between air-gapped networks and a threat actor were taken into consideration for the study.

Air-gapped networks are meant to protect highly sensitive data, which makes them appealing targets for highly-motivated adversaries, such as nation states, which have the necessary resources to mount attacks against these isolated systems.

In fact, some of these have been attributed with high confidence to nation-state threat actors, such as DarkHotel (the Retro and Ramsay frameworks), Sednit (USBStealer), Tropic Trooper (USBFerry), Equation Group (Fanny), Goblin Panda (USBCulprit), and Mustang Panda (PlugX).

Attribution of tools such as Flame, miniFlame, Gauss, Agent.BTZ, ProjectSauron, Stuxnet, and USBThief hasn’t been as straightforward (Agent.BTZ is believed to be part of Turla’s portfolio), while other frameworks, documented in Vault7 leaks, haven’t been encountered in the wild (Brutal Kangaroo, Emotional Simian, and EZCheese).

Taking a deep dive into these tools, ESET discovered a variety of similarities between them, such as the fact that all are meant to target Windows systems for some form of espionage, and that most of them rely on malicious LNK or autorun files on USB drives for initial compromise or lateral movement.

“Despite the variety of threat actors behind these frameworks, all of them shared a common purpose: espionage. Even Stuxnet, best known for its sabotage capabilities, collected information about Siemens Simatic Step 7 engineering software projects found in compromised machines,” ESET notes.

While Stuxnet has long been said to be the first malware to target air-gapped systems, a sample of Sednit’s USBStealer has been dated all the way back to 2005, suggesting that it was the first of the kind — USBStealer was publicly detailed for the first time in 2014, nine years later.

Malware targeting air-gapped systems

Most air gap-targeting frameworks, ESET also says, became inactive shortly after being publicly disclosed, likely because their operators stopped using them. However, it is also possible that anti-malware solutions on the air-gapped systems were not updated and could no longer detect them.

ESET refers to some of the analyzed frameworks as connected, because they rely on compromised Internet-connected computers to weaponize USB drives to compromise the targeted air-gapped systems. The payload deployed on the air-gapped machine harvests information and places it back on the USB drive. Once the drive is inserted into the compromised connected system, the data is sent to the attacker.

Some of the analyzed frameworks implement a two-way communication protocol, where commands are passed on to the malware deployed onto the air-gapped network.

In other cases, a malicious operator on the ground handles the actions performed by the connected system, such as installing malware onto the USB drive, infecting the air-gapped network, extracting the stolen data from the drive, and sending commands to the air-gapped system.

According to ESET, no evidence of the “use of covert physical transmission mediums, such as acoustic or electromagnetic signals” as part of these frameworks has been found.

The initial infection vector may include spear-phishing emails carrying malicious attachments, the malware’s worm-like capabilities, installation performed by a different malicious component, the use of exploits, and spear-phishing emails exploiting zero-days, among others.

Typically, the malware is installed on the air-gapped system with the help of malicious LNK files that exploit vulnerabilities in older Windows components, such as CVE-2010-2568 and CVE-2017-8464 (and potentially CVE-2015-0096). Over the past 10 years, Microsoft addressed roughly a dozen LNK flaws leading to remote code execution.

The malware may also be deployed using automated execution (by relying on AutoRun/AutoPlay), by tricking an unsuspecting user into executing the malicious code, or by relying on a human actor to deliberately run the malware.

Some of the analyzed frameworks were designed to achieve persistence on the air-gapped systems, and could also receive commands from the attackers, while others were executed in memory, for the collection and exfiltration of data.

The purpose of the air-gapped frameworks is espionage, which includes gathering and exfiltrating system information (computer name, username, domain name, directory/process lists, etc), performing network reconnaissance, looking for specific files to steal, or taking screenshots at specific intervals. For lateral movement, infected USB drives or network-based propagation were used.

Keeping air-gapped networks protected from cyberattacks means detecting and blocking the malicious activities typically associated with malware that targets such systems. Possible mitigations include disabling direct access to emails on connected systems, disabling USB ports on air-gapped systems, sanitizing USB drives that are inserted in air-gapped systems, preventing execution on removable drives, and keeping air-gapped systems updated at all times.

“Despite the use of various techniques to breach the initial air-gapped system, to propagate inside the network or to exfiltrate stolen information, all the frameworks share one common goal: spy on their target. Discovering and analyzing this type of framework poses unique challenges. They sometimes are composed of multiple components that all have to be analyzed together in order to have the complete picture of how the attacks are really being carried out,” ESET concludes.

Related: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.