Hackers Leverage USB Flash Drives to Attack Public and Private Sectors Globally

During the initial half of 2023, a notable surge occurred in attacks exploiting infected USB drives for secret theft.

While the USB-based operation campaigns caused most incidents, impacting both public and private sectors worldwide.

Cybersecurity analysts at Mandiant Managed Defense recently observed two cyber espionage campaigns that are based on USB flash drives. 

Security researchers dubbed the two campaigns as:-

  • SOGU Malware Infection
  • SNOWYDRIVE Malware Infection

We have provided comprehensive information about two USB-based attacks that hackers are currently using to target both public and private organizations.

SOGU Malware Infection

This USB-based cyber espionage attack is highly widespread, targeting public and private sectors globally, making it one of the most aggressive campaigns across industries.

SOGU malware loaded via USB flash drives that steal sensitive information linked to China’s TEMP.Hex actor, likely driven by national security and economic motives, reads the report.

In Europe, Asia, and the United States, there are various industries face risks from these operations, and here they are mentioned below:-

  • Construction
  • Engineering
  • Business services
  • Government
  • Health
  • Transportation
  • Retail
  • Entertainment
  • Manufacturing
  • Education
  • Finance
  • Logistic
  • Non-Proit
  • Media
  • Communications
  • IT
  • Energy
  • Pharmaceutical
Geographic distribution (Source – Mandiant)

The infected USB flash drive acts as the initial infection vector, housing multiple malicious software triggering DLL hijacking to load a malicious payload into memory.

SOGU Malware Infection Chain (Source – Mandiant)

There are three files that the complete infection chain contains and here they are mentioned below:- 

  • A legitimate executable
  • A malicious DLL loader
  • An encrypted payload

Upon running the legitimate executable, it side-loads the KORPLUG DLL, initiating the execution of decrypted shellcode (.dat file) associated with the SOGU backdoor, identified by Mandiant.

After dropping a batch file on the RECYCLE.BIN path, the infection proceeds with host reconnaissance, storing the results in a file named “sys.info” (decoded from Base64 as c3lzLmluZm8).

The malware disguises itself as a genuine program by creating a hidden directory to ensure its continued presence on the system.

To communicate with its command and control server, during the final attack stage, the malware exfiltrates staged data via the following custom binary protocols over TCP/UDP, ICMP:-

  • HTTP
  • HTTPS

SNOWYDRIVE Malware Infection

Using USB flash drives, this campaign deploys SNOWYDRIVE malware, establishing a host backdoor for remote command execution, while also infecting other flash drives and spreading across the network.

UNC4698, an oil-focused cyber threat, was identified as a campaign source by Mandiant. This campaign was detected for the first time during the Windows Explorer process execution hunt, revealing suspicious folder path (e.g., “F:”) often linked to USB drive malware execution.

As the initial infection vector, the infected USB flash drive is used, and the victim is enticed to click on the malicious file disguised as a legit executable, triggering the malicious executions for the attacker’s objectives.

SNOWYDRIVE Malware Infection Chain (Source – Mandiant)

The infection chain begins with an executable dropper that writes and launches malicious files. The extracted executables and DLLs from the encrypted files are written to the specified directory:-

  • C:\Users\Public\SymantecsThorvices\Bin

There are four components that comprise these files, which are loaded through DLL search order hijacking, with each containing a legitimate executable and a malicious DLL.

Execution chain  (Source – Mandiant)

SNOWYDRIVE backdoor generates a unique ID from system info for C2 communication, with a hard-coded domain in shellcode. While the persistence is achieved through the “KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba” registry value storing the “Silverlight.Configuration.exe” path.

Malware duplicates onto plugged-in removable drives, forming “<drive_root>\Kaspersky\Usb Drive\3.0” folder and storing encrypted malicious files. Extracted executable “aweu23jj46jm7dc” writes to <drive_root><volume_name>.exe, handling decryption and execution of file contents.

Organizations are strongly urged to prioritize access restrictions on external devices, like USB drives, or conduct thorough scans for malicious files prior to the network connection.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

NVIDIA UFM Vulnerability Leads to Privilege Escalation & Data Tampering

NVIDIA has released a critical security update addressing a significant vulnerability in its Unified Fabric…

37 minutes ago

Junior School Student Indicted for Infecting Computers With Malware

Fukui Prefectural Police have indicted a 15-year-old junior high school student from Saitama Prefecture for…

3 hours ago

Critical Gitlab Vulnerability Let Attackers Escalate Privileges

GitLab, a widely used platform for DevOps lifecycle management, has released critical security updates for…

4 hours ago

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical security…

7 hours ago

RomCom Hackers Exploits Windows & Firefox Zero-Day in Advanced Cyberattacks

In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…

16 hours ago

Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…

18 hours ago