Monday, June 24, 2024

Hackers Leverage USB Flash Drives to Attack Public and Private Sectors Globally

During the initial half of 2023, a notable surge occurred in attacks exploiting infected USB drives for secret theft.

While the USB-based operation campaigns caused most incidents, impacting both public and private sectors worldwide.

Cybersecurity analysts at Mandiant Managed Defense recently observed two cyber espionage campaigns that are based on USB flash drives. 

Security researchers dubbed the two campaigns as:-

  • SOGU Malware Infection
  • SNOWYDRIVE Malware Infection

We have provided comprehensive information about two USB-based attacks that hackers are currently using to target both public and private organizations.

SOGU Malware Infection

This USB-based cyber espionage attack is highly widespread, targeting public and private sectors globally, making it one of the most aggressive campaigns across industries.

SOGU malware loaded via USB flash drives that steal sensitive information linked to China’s TEMP.Hex actor, likely driven by national security and economic motives, reads the report.

In Europe, Asia, and the United States, there are various industries face risks from these operations, and here they are mentioned below:-

  • Construction
  • Engineering
  • Business services
  • Government
  • Health
  • Transportation
  • Retail
  • Entertainment
  • Manufacturing
  • Education
  • Finance
  • Logistic
  • Non-Proit
  • Media
  • Communications
  • IT
  • Energy
  • Pharmaceutical
Geographic distribution (Source – Mandiant)

The infected USB flash drive acts as the initial infection vector, housing multiple malicious software triggering DLL hijacking to load a malicious payload into memory.

SOGU Malware Infection Chain (Source – Mandiant)

There are three files that the complete infection chain contains and here they are mentioned below:- 

  • A legitimate executable
  • A malicious DLL loader
  • An encrypted payload 

Upon running the legitimate executable, it side-loads the KORPLUG DLL, initiating the execution of decrypted shellcode (.dat file) associated with the SOGU backdoor, identified by Mandiant.

After dropping a batch file on the RECYCLE.BIN path, the infection proceeds with host reconnaissance, storing the results in a file named “” (decoded from Base64 as c3lzLmluZm8).

The malware disguises itself as a genuine program by creating a hidden directory to ensure its continued presence on the system.

To communicate with its command and control server, during the final attack stage, the malware exfiltrates staged data via the following custom binary protocols over TCP/UDP, ICMP:-

  • HTTP

SNOWYDRIVE Malware Infection

Using USB flash drives, this campaign deploys SNOWYDRIVE malware, establishing a host backdoor for remote command execution, while also infecting other flash drives and spreading across the network.

UNC4698, an oil-focused cyber threat, was identified as a campaign source by Mandiant. This campaign was detected for the first time during the Windows Explorer process execution hunt, revealing suspicious folder path (e.g., “F:”) often linked to USB drive malware execution.

As the initial infection vector, the infected USB flash drive is used, and the victim is enticed to click on the malicious file disguised as a legit executable, triggering the malicious executions for the attacker’s objectives.

SNOWYDRIVE Malware Infection Chain (Source – Mandiant)

The infection chain begins with an executable dropper that writes and launches malicious files. The extracted executables and DLLs from the encrypted files are written to the specified directory:-

  • C:\Users\Public\SymantecsThorvices\Bin

There are four components that comprise these files, which are loaded through DLL search order hijacking, with each containing a legitimate executable and a malicious DLL.

Execution chain  (Source – Mandiant)

SNOWYDRIVE backdoor generates a unique ID from system info for C2 communication, with a hard-coded domain in shellcode. While the persistence is achieved through the “KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba” registry value storing the “Silverlight.Configuration.exe” path.

Malware duplicates onto plugged-in removable drives, forming “<drive_root>\Kaspersky\Usb Drive\3.0” folder and storing encrypted malicious files. Extracted executable “aweu23jj46jm7dc” writes to <drive_root><volume_name>.exe, handling decryption and execution of file contents.

Organizations are strongly urged to prioritize access restrictions on external devices, like USB drives, or conduct thorough scans for malicious files prior to the network connection.


Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles