During the initial half of 2023, a notable surge occurred in attacks exploiting infected USB drives for secret theft.

While the USB-based operation campaigns caused most incidents, impacting both public and private sectors worldwide.

Cybersecurity analysts at Mandiant Managed Defense recently observed two cyber espionage campaigns that are based on USB flash drives. 

Security researchers dubbed the two campaigns as:-

• SOGU Malware Infection
• SNOWYDRIVE Malware Infection

We have provided comprehensive information about two USB-based attacks that hackers are currently using to target both public and private organizations.

SOGU Malware Infection

This USB-based cyber espionage attack is highly widespread, targeting public and private sectors globally, making it one of the most aggressive campaigns across industries.

SOGU malware loaded via USB flash drives that steal sensitive information linked to China’s TEMP.Hex actor, likely driven by national security and economic motives, reads the report.

In Europe, Asia, and the United States, there are various industries face risks from these operations, and here they are mentioned below:-

• Construction
• Engineering
• Business services
• Government
• Health
• Transportation
• Retail
• Entertainment
• Manufacturing
• Education
• Finance
• Logistic
• Non-Proit
• Media
• Communications
• IT
• Energy
• Pharmaceutical

The infected USB flash drive acts as the initial infection vector, housing multiple malicious software triggering DLL hijacking to load a malicious payload into memory.

There are three files that the complete infection chain contains and here they are mentioned below:- 

• A legitimate executable
• A malicious DLL loader
• An encrypted payload 

Upon running the legitimate executable, it side-loads the KORPLUG DLL, initiating the execution of decrypted shellcode (.dat file) associated with the SOGU backdoor, identified by Mandiant.

After dropping a batch file on the RECYCLE.BIN path, the infection proceeds with host reconnaissance, storing the results in a file named “sys.info” (decoded from Base64 as c3lzLmluZm8).

The malware disguises itself as a genuine program by creating a hidden directory to ensure its continued presence on the system.

To communicate with its command and control server, during the final attack stage, the malware exfiltrates staged data via the following custom binary protocols over TCP/UDP, ICMP:-

• HTTP
• HTTPS

SNOWYDRIVE Malware Infection

Using USB flash drives, this campaign deploys SNOWYDRIVE malware, establishing a host backdoor for remote command execution, while also infecting other flash drives and spreading across the network.

UNC4698, an oil-focused cyber threat, was identified as a campaign source by Mandiant. This campaign was detected for the first time during the Windows Explorer process execution hunt, revealing suspicious folder path (e.g., “F:”) often linked to USB drive malware execution.

As the initial infection vector, the infected USB flash drive is used, and the victim is enticed to click on the malicious file disguised as a legit executable, triggering the malicious executions for the attacker’s objectives.

SNOWYDRIVE Malware Infection Chain (Source – Mandiant)

The infection chain begins with an executable dropper that writes and launches malicious files. The extracted executables and DLLs from the encrypted files are written to the specified directory:-

• C:\Users\Public\SymantecsThorvices\Bin

There are four components that comprise these files, which are loaded through DLL search order hijacking, with each containing a legitimate executable and a malicious DLL.

SNOWYDRIVE backdoor generates a unique ID from system info for C2 communication, with a hard-coded domain in shellcode. While the persistence is achieved through the “KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba” registry value storing the “Silverlight.Configuration.exe” path.

Malware duplicates onto plugged-in removable drives, forming “<drive_root>\Kaspersky\Usb Drive\3.0” folder and storing encrypted malicious files. Extracted executable “aweu23jj46jm7dc” writes to <drive_root><volume_name>.exe, handling decryption and execution of file contents.

Organizations are strongly urged to prioritize access restrictions on external devices, like USB drives, or conduct thorough scans for malicious files prior to the network connection.