Stealthy USB Trojan hides in portable applications, targets air-gapped systems

The USB Thief Trojan makes extensive use of cryptography to hinder analysis and hide data

A Trojan program is being distributed through USB drives and seems to be designed for stealing information from so-called air-gapped computers that are not connected to the Internet.

The new Trojan has been dubbed USB Thief by security researchers from antivirus firm ESET and has several characteristics that set it apart from the traditional malware programs that spread using USB storage devices and the Windows Autorun feature.

First of all, USB Thief infects USB drives that contain portable installations of popular applications like Firefox, NotePad++ or TrueCrypt. It's copied to such installations as a plug-in or DLL (dynamic link library) and is then executed along with those applications.

In some scenarios, especially when dealing with air-gapped computers, users will temporarily run an application directly from an USB stick in order to avoid installing it on the system itself. There are "portable" versions of many popular applications and they don't leave any files or registry entries on the system after being used.

The practice is also common among PC support technicians or systems administrators who frequently have to troubleshoot problems on users' computers, so they carry around a USB stick with portable versions of their favorite tools.

USB Thief Trojan is a multi-stage malware program, made up of three executables, each loading the next component in the chain, two encrypted configuration files and a final payload.

Except for the first loader, which is named after a legitimate plug-in or DLL of a portable application, the names of the other components are determined based on cryptographic operations and are different from one infected USB drive to another.

For example, the first loader will calculate a SHA512 hash of its own contents combined with the its own creation date and will attempt to execute a file whose name matches that hash. That would be the second loader.

The second loader will check if it was started by the correct parent and then will attempt to decrypt a configuration file whose name is the SHA512 hash of its own contents and creation times tamp.

The configuration file is encrypted with the AES128 algorithm and the key is computed from the USB device's unique ID combined of its disk properties. The second loader will then attempt to run a third loader, whose name is the SHA512 hash of the configuration file's contents and its creation time, and so on.

All of these cryptographic verifications make it extremely hard to analyze the malware without physical access to the specific USB device for which it created. Copying the files to a different USB device or computer will break the execution chain because the file creation dates will be modified. The configuration files will also not be decrypted without the unique USB ID.

The final payload is injected into a new Windows svchost.exe process and reads instructions from the second encrypted configuration file. These instructions define which information to steal from the computer, where to store it and how to encrypt it.

"In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said in a blog post.

The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers said.

All of these special characteristics -- the malware being tied to the USB device it's installed on, the use of strong encryption and cryptographically verified multi-stage execution -- suggests that it was designed for targeted attacks, particularly against air-gapped systems.

Since there is no attempt to immediately send the stolen data over an Internet connection to an external server, it's reasonable to assume that the attackers have the ability to retrieve it from the infected USB drives at a later time.

USB Thief could be a component of a larger cyberespionage platform, for example one that infected Internet-connected computers used by an organization's IT staff. In that case, the attackers would simply wait for those employees to plug the infected USB sticks back into their computers after using them on air-gapped systems and then retrieve the stolen data.

There is precedent for such behavior. The Equation group, which is responsible for one of the most sophisticated and long-running cyberespionage campaigns in history, has used an USB worm called Fanny to both infect air-gapped systems and then pass commands to them.

It would not be difficult to redesign USB Thief to change its data-stealing payload to any other malicious payload, the ESET researchers said.

ESET's statistics shows that this new Trojan is not very widespread, but that's not surprising giving its nature.

"USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use," said Tomáš Gardoň, a malware analyst at ESET, in a separate blog post. "It’s highly desirable for staff at all levels to undergo cybersecurity training -- including real-life testing."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?