News

Massive increase in USB malware in first half of 2023

Security Parrot Editorial Team

USB Malware Attacks Have Experienced a Three-Fold Growth

Research team Mandiant has seen USB malware attacks have experienced a three-fold growth. These attacks aim to use a malicious piece of software to make off with classified information.

SOGU Malware

Mandiant, which is part of Google Cloud, highlights two espionage campaigns in a blog post. First of all, the so-called SOGU malware, which according to the company is one of the most common software variants that end up on a PC via a USB drive. This group attacks both state agencies and corporations. Mandiant sees the Chinese TEMP.Hex as the perpetrator, which uses its practices to promote state espionage and economic interests in that country.

SNOWYDRIVE

The second example of Mandiant is SNOWYDRIVE, which creates a backdoor at a target and then controls the remote system. It also tries to move laterally within a company network to have as much access to sensitive data as possible. The group behind it, according to Mandiant, is UNC4698, which is mainly chasing oil and gas companies in Asia.
On a global level, Mandiant sees that the SOGU attacks specifically occur in many places. In addition, Mandiant has mapped out the sectors where the attacks take place. It concerns a broad spectrum, with pharmaceuticals, IT and the energy sector as the main victims.
Unlike a lot of malware that exploits software vulnerabilities, here we are talking about a delivery that relies on a very cooperative victim or attacker being able to physically get to a device. While phishing email also has to cheat a target, USB drives make that persuasion even more difficult. However, there will always be individuals who are uncritical of a drive into their device and launch an .exe, after which a complex software process takes place.
With Sogu, the software copies itself to the C drive and to the directory for the existing flash drive. After that, stolen documents are exfiltrated via HTTP/HTTPS requests. Other options such as file execution, remote desktop sessions and keylogging are conceivable when using the Sogu software.
SNOWYDRIVE works slightly differently: it disguises the files on the local disk in a Kaspersky folder, after which the malware components work together to install a backdoor. Data exfiltration is also possible with this tool, as well as investigation and file deletion. By mimicking other legitimate processes, it avoids detection.
Mandiant does not directly explain why the attacks have increased so drastically, but it may simply be about recently boosted campaigns. The fact that print shops and hotels are extra risky indicates that the attackers will often fail. Anyone who secures their own equipment and does not just put a flash drive in it will therefore be protected from this type of attack a lot faster.

USB Malware Attacks Have Experienced a Three-Fold Growth

Research team Mandiant has seen USB malware attacks experience a three-fold growth in recent times. These attacks are designed to use a malicious piece of software to steal confidential information.

SOGU Malware

Mandiant, which is part of Google Cloud, has highlighted two espionage campaigns in a blog post. The first of these is the SOGU malware, which Mandiant claims is one of the most common software variants that end up on a PC via a USB drive. This group targets both state agencies and corporations, with the Chinese TEMP.Hex being the perpetrator. This group is believed to be using its practices to promote state espionage and economic interests in China.

SNOWYDRIVE

The second example of Mandiant is SNOWYDRIVE, which creates a backdoor at a target and then controls the remote system. It also attempts to move laterally within a company network to gain access to sensitive data. The group behind it, according to Mandiant, is UNC4698, which is mainly targeting oil and gas companies in Asia.
On a global level, Mandiant has observed that SOGU attacks are occurring in many places. In addition, Mandiant has mapped out the sectors where the attacks take place. These include a broad spectrum, with pharmaceuticals, IT and the energy sector being the main victims.
Unlike a lot of malware that exploits software vulnerabilities, USB malware relies on a very cooperative victim or attacker being able to physically get to a device. While phishing email also has to deceive a target, USB drives make that persuasion even more difficult. However, there will always be individuals who are careless when it comes to plugging a drive into their device and launching an .exe, after which a complex software process takes place.
With Sogu, the software copies itself to the C drive and to the directory for the existing flash drive. After that, stolen documents are exfiltrated via HTTP/HTTPS requests. Other options such as file execution, remote desktop sessions and keylogging are also possible when using the Sogu software.
SNOWYDRIVE works slightly differently: it disguises the files on the local disk in a Kaspersky folder, after which the malware components work together to install a backdoor. Data exfiltration is also possible with this tool, as well as investigation and file deletion. By mimicking other legitimate processes, it avoids detection.
Mandiant does not directly explain why the attacks have increased so drastically, but it may simply be due to recently boosted campaigns. The fact that print shops and hotels are extra risky indicates that the attackers will often fail. Anyone who secures their own equipment and does not just put a flash drive in it will therefore be protected from this type of attack much faster.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?