Hackers Leverage USB Flash Drives to Attack Public and Private Sectors Globally

During the initial half of 2023, a notable surge occurred in attacks exploiting infected USB drives for secret theft.

While the USB-based operation campaigns caused most incidents, impacting both public and private sectors worldwide.

Cybersecurity analysts at Mandiant Managed Defense recently observed two cyber espionage campaigns that are based on USB flash drives. 

Security researchers dubbed the two campaigns as:-

  • SOGU Malware Infection
  • SNOWYDRIVE Malware Infection

We have provided comprehensive information about two USB-based attacks that hackers are currently using to target both public and private organizations.

SOGU Malware Infection

This USB-based cyber espionage attack is highly widespread, targeting public and private sectors globally, making it one of the most aggressive campaigns across industries.

SOGU malware loaded via USB flash drives that steal sensitive information linked to China’s TEMP.Hex actor, likely driven by national security and economic motives, reads the report.

In Europe, Asia, and the United States, there are various industries face risks from these operations, and here they are mentioned below:-

  • Construction
  • Engineering
  • Business services
  • Government
  • Health
  • Transportation
  • Retail
  • Entertainment
  • Manufacturing
  • Education
  • Finance
  • Logistic
  • Non-Proit
  • Media
  • Communications
  • IT
  • Energy
  • Pharmaceutical
Geographic distribution (Source – Mandiant)

The infected USB flash drive acts as the initial infection vector, housing multiple malicious software triggering DLL hijacking to load a malicious payload into memory.

SOGU Malware Infection Chain (Source – Mandiant)

There are three files that the complete infection chain contains and here they are mentioned below:- 

  • A legitimate executable
  • A malicious DLL loader
  • An encrypted payload

Upon running the legitimate executable, it side-loads the KORPLUG DLL, initiating the execution of decrypted shellcode (.dat file) associated with the SOGU backdoor, identified by Mandiant.

After dropping a batch file on the RECYCLE.BIN path, the infection proceeds with host reconnaissance, storing the results in a file named “sys.info” (decoded from Base64 as c3lzLmluZm8).

The malware disguises itself as a genuine program by creating a hidden directory to ensure its continued presence on the system.

To communicate with its command and control server, during the final attack stage, the malware exfiltrates staged data via the following custom binary protocols over TCP/UDP, ICMP:-

  • HTTP
  • HTTPS

SNOWYDRIVE Malware Infection

Using USB flash drives, this campaign deploys SNOWYDRIVE malware, establishing a host backdoor for remote command execution, while also infecting other flash drives and spreading across the network.

UNC4698, an oil-focused cyber threat, was identified as a campaign source by Mandiant. This campaign was detected for the first time during the Windows Explorer process execution hunt, revealing suspicious folder path (e.g., “F:”) often linked to USB drive malware execution.

As the initial infection vector, the infected USB flash drive is used, and the victim is enticed to click on the malicious file disguised as a legit executable, triggering the malicious executions for the attacker’s objectives.

SNOWYDRIVE Malware Infection Chain (Source – Mandiant)

The infection chain begins with an executable dropper that writes and launches malicious files. The extracted executables and DLLs from the encrypted files are written to the specified directory:-

  • C:\Users\Public\SymantecsThorvices\Bin

There are four components that comprise these files, which are loaded through DLL search order hijacking, with each containing a legitimate executable and a malicious DLL.

Execution chain  (Source – Mandiant)

SNOWYDRIVE backdoor generates a unique ID from system info for C2 communication, with a hard-coded domain in shellcode. While the persistence is achieved through the “KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba” registry value storing the “Silverlight.Configuration.exe” path.

Malware duplicates onto plugged-in removable drives, forming “<drive_root>\Kaspersky\Usb Drive\3.0” folder and storing encrypted malicious files. Extracted executable “aweu23jj46jm7dc” writes to <drive_root><volume_name>.exe, handling decryption and execution of file contents.

Organizations are strongly urged to prioritize access restrictions on external devices, like USB drives, or conduct thorough scans for malicious files prior to the network connection.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

5 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

5 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

5 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

5 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago