USB sticks are again being used to spread malware

In the first half of 2023, researchers Mandiant was found two different malicious campaigns at once, using USB devices to infect computers. One of them is called “Sogu” and is associated with the Chinese hacker group “TEMP.HEX”, which specializes in cyber espionage. The other is called “Snowydrive” and is attributed to UNC4698 hackers, who usually attack oil and gas companies in Asia.

Earlier, in November 2022, Mandiant already reported about an operation involving China that used USB devices to infect objects in the Philippines with four different malware families.

And in January 2023, the team Unit 42 from Palo Alto Network discovered option Plug Xwhich could hide on flash drives and infect computers connected to them with Windows.

Sogu Campaign

According to Mandiant, Sogu is the most aggressive USB cyber-espionage campaign that targets many industries around the world and tries to steal a wide variety of data from infected computers.

Users from the USA, France, Great Britain, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia and the Philippines have already become victims of Sogu. Most of the victims belong to the pharmaceutical, IT, energy, communications, medical and logistics sectors, but there are also victims from other industries.

After launching a malicious file from an infected USB drive, a Sogu bootloader named “Korplug” executes a C shellcode in memory via DLL Sideloading. Sogu maintains its presence on the system by creating a Run key in the registry and using the Windows Task Scheduler to run regularly.

The malware creates a batch file in the Windows Recycle Bin that helps with system reconnaissance by scanning the infected machine for Microsoft Office documents, PDF and other text files that could hypothetically contain valuable data.

All files selected by the program are copied to two directories: one on the C:\ drive of the compromised host and one in the working directory on the USB flash drive. They are then encrypted with base64.

Documents are eventually sent to C2 server By TCP or UDP using HTTP or HTTPS-requests.

Sogu also supports arbitrary command execution, file launch, remote desktop, screenshots from an infected computer, reverse shell installation, and keylogging. In addition, the malware automatically copies itself to all connected removable media for distribution to other computers.

Snowydrive Campaign

Snowydrive is a malicious operation that infects computers with a backdoor that allows attackers to execute arbitrary payloads through the Windows command line, modify the registry, and perform various actions on files and directories.

Infection also occurs through an executable file on a USB drive that launches the extraction and execution of malware components. Each component performs a specific role, such as establishing persistence in the system, evading detection, installing a backdoor, and ensuring that malware spreads through newly connected USB drives.

Snowydrive is a backdoor shellcode that is loaded into the “CUZ.exe” process, which is a legitimate unpacking software. The backdoor supports many commands that allow you to perform file operations, data output, reverse shell, command execution, and reconnaissance.

To evade detection, the malware uses a malicious DLL loaded by “GUP.exe”, a legitimate Notepad++ update process, to hide file extensions and certain files marked as “system” or “hidden”.

Attacks via USB devices continue

While attacks via USB devices require physical access to target computers to achieve infection, they have unique advantages that will keep them relevant and popular even in 2023, according to Mandiant.

Benefits include bypassing security mechanisms, stealth, primary access to corporate networks, and the ability to infect isolated systems that are separated from public networks for security reasons.

According to Mandiant, printing houses and hotels are hotspots for USB virus infections. However, given the largely random distribution of this malware, any system with a USB port is potentially a target for attackers.

Before you start working with any removable drives, even personal ones, you should enable the display of extensions for registered file types and the display of hidden elements in your system. If you find suspicious and unknown documents, always pay attention to their extension. If it’s an executable or a shortcut, don’t run it. It is better to immediately delete such files from the flash drive and carefully scan the latter with antivirus software.