USBStealer

USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]

ID: S0136
Aliases: USBStealer, USB Stealer, Win32/USBStealer
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1119Automated CollectionFor all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[1]
EnterpriseT1020Automated ExfiltrationUSBStealer automatically exfiltrates collected files via removable media when an infected device is connected to the second victim after receiving commands from the first victim.[1]
EnterpriseT1092Communication Through Removable MediaUSBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1]
EnterpriseT1025Data from Removable MediaOnce a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.[1][2]
EnterpriseT1074Data StagedUSBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[1][2]
EnterpriseT1052Exfiltration Over Physical MediumUSBStealer exfiltrates collected files via removable media from air-gapped victims.[1]
EnterpriseT1083File and Directory DiscoveryUSBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.[1][2]
EnterpriseT1107File DeletionUSBStealer has several commands to delete files associated with the malware from the victim.[1]
EnterpriseT1036MasqueradingUSBStealer mimics a legitimate Russian program called USB Disk Security.[1]
EnterpriseT1027Obfuscated Files or InformationMost strings in USBStealer are encrypted using 3DES and XOR and reversed.[1]
EnterpriseT1120Peripheral Device DiscoveryUSBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[1]
EnterpriseT1060Registry Run Keys / Startup FolderUSBStealer registers itself under a Registry Run key with the name "USB Disk Security."[1]
EnterpriseT1091Replication Through Removable MediaUSBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[1]
EnterpriseT1099TimestompUSBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.[1]

Groups

Groups that use this software:

APT28

References