Thursday, February 22, 2024

Hackers Leverage USB Flash Drives to Attack Public and Private Sectors Globally

During the initial half of 2023, a notable surge occurred in attacks exploiting infected USB drives for secret theft.

While the USB-based operation campaigns caused most incidents, impacting both public and private sectors worldwide.

Cybersecurity analysts at Mandiant Managed Defense recently observed two cyber espionage campaigns that are based on USB flash drives. 

Security researchers dubbed the two campaigns as:-

  • SOGU Malware Infection
  • SNOWYDRIVE Malware Infection

We have provided comprehensive information about two USB-based attacks that hackers are currently using to target both public and private organizations.

SOGU Malware Infection

This USB-based cyber espionage attack is highly widespread, targeting public and private sectors globally, making it one of the most aggressive campaigns across industries.

SOGU malware loaded via USB flash drives that steal sensitive information linked to China’s TEMP.Hex actor, likely driven by national security and economic motives, reads the report.

In Europe, Asia, and the United States, there are various industries face risks from these operations, and here they are mentioned below:-

  • Construction
  • Engineering
  • Business services
  • Government
  • Health
  • Transportation
  • Retail
  • Entertainment
  • Manufacturing
  • Education
  • Finance
  • Logistic
  • Non-Proit
  • Media
  • Communications
  • IT
  • Energy
  • Pharmaceutical
Geographic distribution (Source – Mandiant)

The infected USB flash drive acts as the initial infection vector, housing multiple malicious software triggering DLL hijacking to load a malicious payload into memory.

SOGU Malware Infection Chain (Source – Mandiant)

There are three files that the complete infection chain contains and here they are mentioned below:- 

  • A legitimate executable
  • A malicious DLL loader
  • An encrypted payload 

Upon running the legitimate executable, it side-loads the KORPLUG DLL, initiating the execution of decrypted shellcode (.dat file) associated with the SOGU backdoor, identified by Mandiant.

After dropping a batch file on the RECYCLE.BIN path, the infection proceeds with host reconnaissance, storing the results in a file named “” (decoded from Base64 as c3lzLmluZm8).

The malware disguises itself as a genuine program by creating a hidden directory to ensure its continued presence on the system.

To communicate with its command and control server, during the final attack stage, the malware exfiltrates staged data via the following custom binary protocols over TCP/UDP, ICMP:-

  • HTTP

SNOWYDRIVE Malware Infection

Using USB flash drives, this campaign deploys SNOWYDRIVE malware, establishing a host backdoor for remote command execution, while also infecting other flash drives and spreading across the network.

UNC4698, an oil-focused cyber threat, was identified as a campaign source by Mandiant. This campaign was detected for the first time during the Windows Explorer process execution hunt, revealing suspicious folder path (e.g., “F:”) often linked to USB drive malware execution.

As the initial infection vector, the infected USB flash drive is used, and the victim is enticed to click on the malicious file disguised as a legit executable, triggering the malicious executions for the attacker’s objectives.

SNOWYDRIVE Malware Infection Chain (Source – Mandiant)

The infection chain begins with an executable dropper that writes and launches malicious files. The extracted executables and DLLs from the encrypted files are written to the specified directory:-

  • C:\Users\Public\SymantecsThorvices\Bin

There are four components that comprise these files, which are loaded through DLL search order hijacking, with each containing a legitimate executable and a malicious DLL.

Execution chain  (Source – Mandiant)

SNOWYDRIVE backdoor generates a unique ID from system info for C2 communication, with a hard-coded domain in shellcode. While the persistence is achieved through the “KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba” registry value storing the “Silverlight.Configuration.exe” path.

Malware duplicates onto plugged-in removable drives, forming “<drive_root>\Kaspersky\Usb Drive\3.0” folder and storing encrypted malicious files. Extracted executable “aweu23jj46jm7dc” writes to <drive_root><volume_name>.exe, handling decryption and execution of file contents.

Organizations are strongly urged to prioritize access restrictions on external devices, like USB drives, or conduct thorough scans for malicious files prior to the network connection.


Latest articles

Leak of China’s Hacking Documentation Stunned Researchers

In a startling revelation that has sent shockwaves through the cybersecurity community, a massive...

Apex Code Vulnerabilities Let Hackers Steal Salesforce Data

Hackers target Apex code vulnerabilities in Salesforce to exploit security weaknesses, gain unauthorized access...

Beware of New AsukaStealer Steal Browser Passwords & Desktop Screens

An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as...

US to Pay $15M for Info About Lockbit Ransomware Operator Data

In a significant move against cybercrime, the U.S. government has announced a bounty of...

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles