USBStealer

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]

ID: S0136
Associated Software: USB Stealer, Win32/USBStealer
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 19 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[1]

Enterprise T1020 Automated Exfiltration

USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

USBStealer registers itself under a Registry Run key with the name "USB Disk Security."[1]

Enterprise T1092 Communication Through Removable Media

USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1]

Enterprise T1025 Data from Removable Media

Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.[1][2]

Enterprise T1074 .001 Data Staged: Local Data Staging

USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[1][2]

Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

USBStealer exfiltrates collected files via removable media from air-gapped victims.[1]

Enterprise T1083 File and Directory Discovery

USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[1][2]

Enterprise T1070 .004 Indicator Removal: File Deletion

USBStealer has several commands to delete files associated with the malware from the victim.[1]

.006 Indicator Removal: Timestomp

USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

USBStealer mimics a legitimate Russian program called USB Disk Security.[1]

Enterprise T1027 Obfuscated Files or Information

Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[1]

Enterprise T1120 Peripheral Device Discovery

USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[1]

Enterprise T1091 Replication Through Removable Media

USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[3]

References