USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]

ID: S0452
Platforms: Windows
Version: 1.0
Created: 20 May 2020
Last Modified: 16 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

USBferry can use net user to gather information about local accounts.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

USBferry can execute various Windows commands.[1]

Enterprise T1005 Data from Local System

USBferry can collect information from an air-gapped host machine.[1]

Enterprise T1083 File and Directory Discovery

USBferry can detect the victim's file or folder list.[1]

Enterprise T1120 Peripheral Device Discovery

USBferry can check for connected USB devices.[1]

Enterprise T1057 Process Discovery

USBferry can use tasklist to gather information about the process running on the infected system.[1]

Enterprise T1018 Remote System Discovery

USBferry can use net view to gather information about remote systems.[1]

Enterprise T1091 Replication Through Removable Media

USBferry can copy its installer to attached USB storage devices.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

USBferry can execute rundll32.exe in memory to avoid detection.[1]

Enterprise T1016 System Network Configuration Discovery

USBferry can detect the infected machine's network topology using ipconfig and arp.[1]

Enterprise T1049 System Network Connections Discovery

USBferry can use netstat and nbtstat to detect active network connections.[1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper