CATEGORIES
home News

Security Report Details Alarming Rise In Malware Attacks Using USB Drives

by Nathan OrdThursday, July 13, 2023, 01:39 PM EDT
security researchers note uptick in malicious usb drive malware campaigns
The general rule of thumb is to not plug in USB drives you find on the ground, and beyond that, certainly don’t run anything on them as it could be malware. However, that rule is being skirted by some people, as researchers have discovered an alarming uptick in the use of infected USB drives to steal data.

Earlier this week, researchers at Mandiant reported that they had observed a tripling of the number of attacks using infected USB drivers over the first half of 2023. In this growth, two major espionage campaigns that utilized malicious USBs were tracked, dubbed SOGU and SNOWYDRIVE, respectively. The former, SOGU, is reportedly one of the most prevalent and aggressive espionage campaigns targeting public and private sector organizations globally.

sogu chain security researchers note uptick in malicious usb drive malware campaigns
Sogu Infection Chain

The SOGU operation begins with an infected flash drive containing malicious software that aims to load a payload to memory using DLL hijacking. Per the report, the infection chain that comprises this attack typically has three files, a legitimate executable, a malicious DLL loader, and an encrypted payload. A user who finds the USB must run the executable on the USB to load the malicious DLL dubbed ‘KORPLUG.’ This DLL will load shellcode, dubbed ‘SOGU,’ into memory. This shellcode collects some information, stages Office documents and PDFs for exfiltration, and sets up persistence masquerading as a legitimate program. The staged data is then exfiltrated using any number of different protocols, including custom ones, after which the malware could potentially clone itself to new drives plugged into an infected system.

snowydrive chain security researchers note uptick in malicious usb drive malware campaigns
SNOWYDRIVE Infection Chain

SNOWYDRIVE is very similar but operates by tricking a user into running a malicious file that looks like a legitimate executable on the drive. This malicious file is a dropper that pulls down and runs other malware on disk. This second stage of malware can then pull and run a shellcode-based backdoor, avoid AV detection, infect other flash drives, and more. The backdoor also generates a unique identifier and will communicate with the attacker’s command and control (C2) infrastructure.

Mandiant explains that with both attacks, “local print shops and hotels [are] potential hotspots for infection.” However, the threat actors are not specifically targeting these industries and are acting more opportunistically. Therefore, as Mandiant suggests, organizations should work to implement restrictions on USB drivers or otherwise scan all external devices for malicious files or code before granting access. You never know when a parking lot USB will bring you trouble.
Tags:  USB, security, cybersecurity
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment