What’s old is new again, with researchers seeing a threefold increase in malware distributed via USB drives in the first half of 2023
A new report from Beggar describes how two USB-delivered malware campaigns have been observed this year; one named “Sogu”, attributed to a Chinese espionage threat group “TEMP.HEX”, and another named “Snowydrive”, attributed to UNC4698, which targets oil and gas companies in Asia.
Previously, in November 2022, the cybersecurity firm highlighted a China-nexus campaign using USB devices to infect entities in the Philippines with four distinct malware families.
Additionally, in January 2023, the Palo Alto Network Unit 42 team discovered a PlugX variant which could hide in USB drives and infect Windows hosts to which they are connected.
The Sogu Campaign
Mandiant reports that Sogu is currently the most aggressive USB-assisted cyber espionage campaign, targeting many industries worldwide and attempting to steal data from infected computers.
The victims of the Sogu malware are located in the United States, France, United Kingdom, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia and in the Phillippines.
Most of the victims belong to the pharmaceutical, IT, energy, communications, health and logistics sectors, but there are victims in all fields.
The payload, called “Korplug”, loads C (Sogu) shellcode into memory via DLL command hijacking, which requires tricking the victim into executing a legitimate file.
Sogu establishes persistence by creating a registry run key and uses Windows Task Scheduler to ensure that it runs regularly.
Next, the malware drops a batch file on “RECYCLE.BIN” which helps in system recognition, scanning the infected machine for MS Office documents, PDFs and other text files that may contain valuable data .
Files found by Sogu are copied to two directories, one on the host’s C:\ drive and one on the working directory on the flash drive, and encrypted using base64.
The document files are finally exfiltrated to the C2 server via TCP or UDP, using HTTP or HTTPS requests.
Sogu also supports executing commands, executing files, remote desktop, screenshot of the infected computer, setting up a reverse shell or logging keystrokes.
All drives connected to the infected system will automatically receive a copy of Sogu’s original compromised file to enable lateral movement.
Snowydrive is a campaign that infects computers with a backdoor allowing attackers to execute arbitrary payloads through the Windows command prompt, modify the registry, and perform actions on files and directories.
Also in this case, the victim is tricked into running a legitimate-looking executable on a USB drive, which triggers the extraction and execution of the malware components that reside in a “Kaspersky” folder.
The components take on specific roles such as establishing persistence on the hacked system, evading detection, removing a backdoor, and ensuring that malware spreads via newly attached USB drives.
Snowydrive is a shellcode-based backdoor that is loaded into the process of “CUZ.exe”, which is legitimate archive unpacking software.
The backdoor supports numerous commands that enable file operations, data exfiltration, reverse shell, command execution, and reconnaissance.
For evasion, the malware uses a malicious DLL sideloaded by “GUP.exe”, a legitimate Notepad++ updater, to hide file extensions and specific files marked with “system” or ” hidden”.
USB-Based Attacks Will Continue
While USB attacks require physical access to target computers to achieve infection, they have unique advantages that keep them both relevant and trending in 2023, as Mandiant reports.
Benefits include bypassing security mechanisms, stealth, initial access to corporate networks, and the ability to infect systems isolated from untrusted networks for security reasons.
Mandiant’s investigation indicates that print shops and hotels are infection hotspots for USB malware.
However, given the random and opportunistic spread of these backdoors, any system with a USB port could be a target.