Cyber-attacks using infected USB infection drives as initial access vectors have seen a three-fold increase in the first half of 2023,
That’s according to new findings from Mandiant, which detail two such campaigns – STORY And SNOW DRIVE – targeting public and private sector entities worldwide.
SOGU is “the most common USB-based cyberespionage attack using USB flash drives and one of the most aggressive cyberespionage campaigns targeting public and private sector organizations globally across industry verticals,” Google’s threat intelligence firm said.
The activity is associated with a China-based cluster called TEMP.Hex, which is also tracked under the names Camaro Dragon, Earth Preta, and Mustang Panda. Targets include construction and engineering, business services, government, healthcare, transportation and retail in Europe, Asia and the US
The chain of infection detailed by Mandiant shows tactical similarities to other Mustang Panda campaigns uncovered by Check Point, which exposed a series of self-propagating malware called WispRider that spread via compromised USB drives and potentially penetrate air gap systems.
It all starts with a rogue USB flash drive plugged into a computer, leading to the execution of PlugX (aka Korplug), which then decrypts and launches a C-based backdoor called SOGU which extracts files of interest, keystrokes, and screenshots.
SNOWYDRIVE Targets Oil and Gas Organizations in Asia
The second group to take advantage of the USB infiltration mechanism is UNC4698, which has selected oil and gas organizations in Asia to deliver SNOWYDRIVE malware to execute random payloads on compromised systems.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving an attacker the ability to issue system commands remotely,” said researchers Mandiant Rommel Joven and Ng Choon Kiat. “It also spreads to other USB flash drives and spreads across the network.”
In this attack, the victim is enticed to click on a booby-trapped file masquerading as a legitimate executable file, thus activating a chain of malicious actions, starting with the dropper creating a foothold, followed by executing the SNOWYDRIVE implant.
Some of the backdoor functions consist of performing file and directory searches, uploading and downloading files, and launching a reverse shell.
“Organizations should prioritize implementing access restrictions to external devices such as USB drives,” the researchers said. “If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal network.”