Threat from cyberattacks using infected USB drives has tripled in 2023

In the first half of 2023, the number of cyberattacks using infected USB infection drives as an initial access vector increased by threefold.

New research from Mandiant reveals two such campaigns, SOGU and SNOWYDRIVE, which target both public and private sector organizations globally.

According to the Google-owned threat intelligence company, SOGU is the "most common USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals."

The TEMP.Hex cluster, which is located in China and is also known as Camaro Dragon, Earth Preta, and Mustang Panda, has been blamed for the activity. Targets in Europe, Asia, and the United States include commercial services, government, health, transportation, and retail.

The infection chain described by Mandiant shares tactical similarities with another Mustang Panda campaign discovered by Check Point, which unveiled a form of self-propagating malware known as WispRider that spreads via infected USB sticks and has the capacity to infiltrate air-gapped systems.

The process begins when a malicious USB flash drive is inserted into a computer. PlugX (also known as Korplug), which is then executed, decrypts files of interest, launches a C-based backdoor named SOGU, and captures screenshots and keystrokes.

SNOWYDRIVE Targets Asian Oil and Gas Companies#

The second cluster to use the USB infiltration mechanism is UNC4698, which has targeted Asian oil and gas companies to spread the SNOWYDRIVE malware and allow it to run arbitrary payloads on the compromised devices.

According to Mandiant researchers Rommel Joven and Ng Choon Kiat, "Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands." Additionally, it spreads across the network and to other USB flash devices.

In these attacks, a dropper that establishes a foothold is followed by the execution of the SNOWYDRIVE implant after the victim is tricked into clicking on a booby-trapped file that poses as a legitimate executable.

The backdoor can do file and directory searches, upload and download files, and run a reverse shell, among other functions.

The researchers recommended that "organizations should prioritize implementing restrictions on access to external devices such as USB drives." "If this is not possible, they should at the very least scan these devices for malicious files or code before connecting them to their internal networks."