In a surprising turn of events, the first half of 2023 has seen a threefold surge in USB Drive Malware. This resurgence of an old method indicates that cyber attackers are resorting to proven techniques. A recent Mandiant report highlights two distinct USB-driven malware campaigns, ‘ Sogu’ and ‘Snowydrive.’
An Overview of Recent USB Drive Malware Campaigns
In November 2022, Mandiant identified a China-based campaign that exploited USB devices to distribute malware in the Philippines. This trend persisted in January 2023 when the Palo Alto Network’s Unit 42 team discovered a PlugX variant capable of hiding in USB drives and infiltrating connected Windows hosts.
The Sogu Campaign
Identified as the most aggressive USB-aided cyber espionage campaign, Sogu targets various global industries, aiming to exfiltrate data from infected systems. The countries affected include the United States, France, the UK, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia, and the Philippines. Predominantly, victims are from the pharmaceutical, IT, energy, communications, health, and logistics sectors.
The ‘Korplug’ payload, deployed by Sogu, involves tricking victims into running a legitimate file, which loads the malware into the memory. By creating a registry Run key and using the Windows Task Scheduler, Sogu ensures regular operation. The malware then scans the infected machine for potentially valuable data and copies files to two directories, which are subsequently encrypted.
The collected data is exfiltrated to the command and control (C2) server using HTTP or HTTPS requests. In addition, Sogu can execute commands, initiate remote desktops, capture screenshots, set up a reverse shell, or perform keylogging. Moreover, connected drives receive a copy of Sogu’s initial compromise file set, facilitating lateral movement.
The Snowydrive Campaign
The Snowydrive campaign involves a backdoor. It allows attackers to execute arbitrary payloads, modify the registry, and perform file and directory actions. Like Sogu, victims are tricked into executing a seemingly legitimate file on a USB drive, setting the malware in motion.
The backdoor, loaded into the process of ‘CUZ.exe,’ facilitates file operations, data exfiltration, reverse shell, command execution, and reconnaissance. For evasion, the malware employs a malicious DLL, sideloaded by ‘GUP.exe,’. It is to conceal file extensions and specific system or hidden files.
The Persistence of USB Drive Malware Attacks
USB attacks continue to be popular in 2023 despite requiring physical access, thanks to their unique advantages. They can bypass security mechanisms. And remain stealthy, gain initial access to corporate networks, and even infect isolated air-gapped systems for security purposes. Mandiant’s findings suggest that infection hotspots for USB malware include print shops and hotels. However, the nature of these backdoors implies that any system with a USB port could be targeted.
