USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.  
For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.
USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. 
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."
|Enterprise||T1092||Communication Through Removable Media||
USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.
|Enterprise||T1025||Data from Removable Media||
Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.
|Enterprise||T1052||.001||Exfiltration Over Physical Medium: Exfiltration over USB||
USBStealer exfiltrates collected files via removable media from air-gapped victims.
|Enterprise||T1083||File and Directory Discovery||
USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
USBStealer has several commands to delete files associated with the malware from the victim.
|.006||Indicator Removal: Timestomp||
USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
USBStealer mimics a legitimate Russian program called USB Disk Security.
|Enterprise||T1027||Obfuscated Files or Information||
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.
|Enterprise||T1120||Peripheral Device Discovery||
USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.
|Enterprise||T1091||Replication Through Removable Media||
USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.