The Perils of USB-Based Cyberattacks: Sogu, SnowyDrive Malware Raises Concerns

Ongoing Cyber-Espionage Campaigns Highlight the Risks of USB-Based Attacks

The Growing Threat

Two recent cyber-espionage campaigns, targeting organizations across multiple sectors and regions, have showcased the need for heightened security measures regarding USB drives and other external devices. The campaigns, attributed to threat actors tracked as TEMP.Hex and UNC4698, have been observed employing malware loaded onto USB flash drives to steal sensitive information and establish a remote foothold on victim systems.

The Tactics

TEMP.Hex, a China-linked threat actor, is using USB drives to spread malware named “Sogu” across infected systems. This capability enables the attacker to potentially compromise air-gapped systems as well. The affected sectors include engineering, construction, government, transportation, health, and business services. Meanwhile, UNC4698’s campaign, primarily targeting oil and gas organizations in Asia, involves the use of infected USB drives to drop a backdoor malware called “SnowyDrive” on victim systems. This allows the attacker to remotely interact with and control the compromised devices.

The Risks and Recent Incidents

While incidents involving infected USB drives are relatively rare compared to other cyberattack vectors, there has been a threefold increase in such attacks in the first half of 2023, according to Mandiant researchers. In December, UNC4191, another China-linked threat actor, was found deploying multiple malware families through USB drives, targeting organizations in Southeast Asia, the US, Europe, and the Asia-Pacific region. Other instances include a China-nexus threat actor gaining access to a hospital network via an infected USB drive, and financially motivated groups distributing ransomware-loaded USBs disguised as official government communications.

Preventive Measures and Recommendations

Mandiant researchers emphasize the importance of implementing restrictions on access to external devices, especially USB drives. If such restrictions are not feasible, organizations should at least scan these devices for malicious files or code before connecting them to their internal networks. This precautionary measure can help prevent the spread of malware and safeguard sensitive information.

Understanding USB-Based Attacks

Sogu and SnowyDrive campaigns rely on users inadvertently inserting rogue USB drives into their systems and following prompts to execute malicious payloads. Key hotspots for infection include hotels and local print shops, where targets might be less vigilant about security while on business trips.

Sogu Malware:

When a user inserts a weaponized USB flash drive, three files are loaded: a legitimate executable, a malicious DLL loader, and an encrypted payload. The legitimate executable sideloads a malicious DLL file named “Korplug”, which then decrypts and loads the Sogu backdoor into memory. The malware conducts various actions such as gathering system metadata, searching for specific file extensions, staging the retrieved information, exfiltrating data, and maintaining a persistent presence on infected systems. Sogu employs various communication protocols to interact with its command-and-control server and supports a wide range of commands for file manipulation, remote desktop access, and keylogging.

SnowyDrive Malware:

Upon inserting the infected USB drive, the user is prompted to click on a malicious executable disguised as a legitimate file. This executable serves as a dropper, writing multiple encrypted malicious files to disk, each containing executables and DLLs. One of these files is SnowyDrive, a shellcode-based backdoor with numerous commands enabling various actions, such as file manipulation, remote shell creation, and search operations. The malware communicates with its hard-coded command-and-control server.

Conclusion

As USB-based attacks continue to gain traction among threat actors, organizations should prioritize implementing safeguards against such attacks. Restricting access to external devices and conducting thorough scans before connecting them to internal networks are essential measures. Users should remain vigilant and avoid inserting unknown or suspicious USB drives into their systems. Heightened awareness and proactive security practices are crucial in mitigating the risks posed by USB-based cyber-espionage campaigns.