Attackers Using USB Malware to Steal Data From Air-Gapped Networks

Cyber Espionage Group Uses USB Malware to Steal Data From Closed Networks

Researchers from security firm ESET have analyzed a malicious tool used by a notorious cyber espionage group to steal valuable information from air-gapped networks.

Isolating a sensitive computer network from the Internet can be an efficient security measure, but threat actors have found ways to get around it. A group believed to be linked to the Russian government, know as “Sednit,” “APT28” and “Sofacy,” appears to have developed the tools necessary to achieve this task.

In a recent report on the attacks launched by APT28 against European governments, militaries and security organizations, FireEye revealed that one of the tools used by the group is a modular family of implants called CHOPSTICK. Researchers identified one variant of CHOPSTICK that defeats closed networks by routing messages between local directories, the registry and USB drives.

One such tool used by the threat group was analyzed by ESET. Dubbed Win32/USBStealer, the malware has been used since at least 2005 in campaigns against government organizations in Eastern Europe, researchers said. There are several variants of this threat, but the security firm has focused on analyzing the most sophisticated one.

According to ESET, the USBStealer dropper initially infects a computer within the targeted organization that’s connected to the Internet (Computer A). The dropper is disguised as a legitimate Russian application called USB Disk Security.

The dropper monitors the infected device for removable drives. When a removable drive is detected, the malware is copied onto it, and its Autorun file is modified so that USBStealer is executed when the drive is inserted on a different computer. In this phase, the malware also marks the USB drive as having been used on a machine with an Internet connection.

Once the infected drive is connected to an air-gapped computer (Computer B), the malware is transferred onto it. The machine’s name is registered on the removable drive, a process which enables the attackers to map the devices they can reach.

The attack only works if Autorun is enabled on the targeted computer. The feature was deactivated by Microsoft in 2009 with the release of a Windows update, but experts say the method could still work considering that air-gapped devices are in many cases out of date due to the lack of an Internet connection.

When the USB drive is once again connected to Computer A, the malware operator drops a series of data exfiltration commands onto it. These commands will be executed as soon as the drive is connected again to Computer B.

The malware is interested in files used by cryptographic applications, and files that appear to be associated with private software. The threat searches for files of interest everywhere on the infected machine, but it avoids folders created by various antiviruses.

Once the stolen files are transferred back to Computer A, the attackers need to use a different piece of malware to copy the data to their own servers because USBStealer doesn’t have such capabilities, ESET noted.

Researchers say it’s uncertain how the initial infection occurs, but a likely attack vector is spear phishing. FireEye has identified a spear phishing campaign that uses the USB Disk Security application as a lure.

Related: “AirHopper” Malware Uses Radio Signals to Steal Data from Isolated Computers