Summary:
Researchers have witnessed a significant rise in malware distributed through USB drives in the first half of 2023. Two notable campaigns, Sogu and Snowydrive, have been identified. Sogu, attributed to the Chinese group TEMP.HEX, is a highly aggressive cyber-espionage campaign targeting industries worldwide, with victims in various countries. Snowydrive, attributed to UNC4698, focuses on oil and gas firms in Asia. The campaigns aim to steal sensitive data from infected computers. These findings underscore the growing threat of USB-delivered malware.[/subscribe_to_unlock_form]
Summary:
Researchers have witnessed a significant rise in malware distributed through USB drives in the first half of 2023. Two notable campaigns, Sogu and Snowydrive, have been identified. Sogu, attributed to the Chinese group TEMP.HEX, is a highly aggressive cyber-espionage campaign targeting industries worldwide, with victims in various countries. Snowydrive, attributed to UNC4698, focuses on oil and gas firms in Asia. The campaigns aim to steal sensitive data from infected computers. These findings underscore the growing threat of USB-delivered malware.[emaillocker id="1283"]
The Sogu malware payload, known as 'Korplug,' loads C shellcode (Sogu) into memory using DLL order hijacking, which requires tricking the victim into executing a legitimate file. To establish persistence, Sogu creates a registry Run key and utilizes Windows Task Scheduler to ensure regular execution. The malware conducts system reconnaissance by dropping a batch file in the 'RECYCLE.BIN' directory, scanning for MS Office documents, PDFs, and other text files containing valuable data. Identified files are copied to directories on the host's C: drive and the working directory on the flash drive, encrypted using base64, and eventually exfiltrated to the command and control (C2) server via TCP or UDP over HTTP or HTTPS requests. Sogu also supports command execution, file execution, remote desktop, screenshot capture, reverse shell setup, and keylogging. Any drives connected to the infected system will receive a copy of Sogu's initial compromise file to facilitate lateral movement.
The Snowydrive campaign infects computers with a backdoor that enables attackers to execute arbitrary payloads through the Windows command prompt, modify the registry, and perform file and directory actions. Similar to Sogu, victims are deceived into launching a seemingly legitimate executable on a USB drive, triggering the extraction and execution of malware components stored in a 'Kaspersky' folder. The components fulfill specific roles, including establishing persistence, evading detection, dropping a backdoor, and ensuring malware propagation through newly connected USB drives. Snowydrive employs a shellcode-based backdoor loaded into the process of 'CUZ.exe,' a legitimate archive unzip software. The backdoor supports various commands for file operations, data exfiltration, reverse shell, command execution, and reconnaissance. To evade detection, the malware utilizes a malicious DLL side-loaded by 'GUP.exe,' a legitimate Notepad++ updater, to hide file extensions and specific files marked as "system" or "hidden."
USB attacks require physical access to target computers, but they offer unique advantages that make them relevant and trending in 2023. These advantages include bypassing security mechanisms, stealthiness, initial access to corporate networks, and the ability to infect air-gapped systems isolated from unsecured networks for security reasons. The increasing prevalence of USB-delivered malware underscores the need for organizations to implement robust security measures, including educating users about the risks associated with unknown USB devices, employing endpoint protection solutions, and regularly updating software to mitigate vulnerabilities.
Threat Profile:
References:
The following reports contain further technical details:
[/emaillocker]