USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1119 | Automated Collection |
For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[1] |
|
| Enterprise | T1020 | Automated Exfiltration |
USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."[1] |
| Enterprise | T1092 | Communication Through Removable Media |
USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1] |
|
| Enterprise | T1025 | Data from Removable Media |
Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.[1][2] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[1][2] |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
USBStealer exfiltrates collected files via removable media from air-gapped victims.[1] |
| Enterprise | T1083 | File and Directory Discovery |
USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[1][2] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
USBStealer has several commands to delete files associated with the malware from the victim.[1] |
| .006 | Indicator Removal: Timestomp |
USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.[1] |
||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
USBStealer mimics a legitimate Russian program called USB Disk Security.[1] |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[1] |
| Enterprise | T1120 | Peripheral Device Discovery |
USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[1] |
|
| Enterprise | T1091 | Replication Through Removable Media |
USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[1] |
|