Stealthy USB Trojan hides in portable applications, targets air-gapped systems

The USB Thief Trojan makes extensive use of cryptography to hinder analysis and hide data

A Trojan program is being distributed through USB drives and seems to be designed for stealing information from so-called air-gapped computers that are not connected to the Internet.

The new Trojan has been dubbed USB Thief by security researchers from antivirus firm ESET and has several characteristics that set it apart from the traditional malware programs that spread using USB storage devices and the Windows Autorun feature.

First of all, USB Thief infects USB drives that contain portable installations of popular applications like Firefox, NotePad++ or TrueCrypt. It's copied to such installations as a plug-in or DLL (dynamic link library) and is then executed along with those applications.

In some scenarios, especially when dealing with air-gapped computers, users will temporarily run an application directly from an USB stick in order to avoid installing it on the system itself. There are "portable" versions of many popular applications and they don't leave any files or registry entries on the system after being used.

The practice is also common among PC support technicians or systems administrators who frequently have to troubleshoot problems on users' computers, so they carry around a USB stick with portable versions of their favorite tools.

USB Thief Trojan is a multi-stage malware program, made up of three executables, each loading the next component in the chain, two encrypted configuration files and a final payload.

Except for the first loader, which is named after a legitimate plug-in or DLL of a portable application, the names of the other components are determined based on cryptographic operations and are different from one infected USB drive to another.

For example, the first loader will calculate a SHA512 hash of its own contents combined with the its own creation date and will attempt to execute a file whose name matches that hash. That would be the second loader.

The second loader will check if it was started by the correct parent and then will attempt to decrypt a configuration file whose name is the SHA512 hash of its own contents and creation times tamp.

The configuration file is encrypted with the AES128 algorithm and the key is computed from the USB device's unique ID combined of its disk properties. The second loader will then attempt to run a third loader, whose name is the SHA512 hash of the configuration file's contents and its creation time, and so on.

All of these cryptographic verifications make it extremely hard to analyze the malware without physical access to the specific USB device for which it created. Copying the files to a different USB device or computer will break the execution chain because the file creation dates will be modified. The configuration files will also not be decrypted without the unique USB ID.

The final payload is injected into a new Windows svchost.exe process and reads instructions from the second encrypted configuration file. These instructions define which information to steal from the computer, where to store it and how to encrypt it.

"In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said in a blog post.

The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers said.

All of these special characteristics -- the malware being tied to the USB device it's installed on, the use of strong encryption and cryptographically verified multi-stage execution -- suggests that it was designed for targeted attacks, particularly against air-gapped systems.

Since there is no attempt to immediately send the stolen data over an Internet connection to an external server, it's reasonable to assume that the attackers have the ability to retrieve it from the infected USB drives at a later time.

USB Thief could be a component of a larger cyberespionage platform, for example one that infected Internet-connected computers used by an organization's IT staff. In that case, the attackers would simply wait for those employees to plug the infected USB sticks back into their computers after using them on air-gapped systems and then retrieve the stolen data.

There is precedent for such behavior. The Equation group, which is responsible for one of the most sophisticated and long-running cyberespionage campaigns in history, has used an USB worm called Fanny to both infect air-gapped systems and then pass commands to them.

It would not be difficult to redesign USB Thief to change its data-stealing payload to any other malicious payload, the ESET researchers said.

ESET's statistics shows that this new Trojan is not very widespread, but that's not surprising giving its nature.

"USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use," said Tomáš Gardoň, a malware analyst at ESET, in a separate blog post. "It’s highly desirable for staff at all levels to undergo cybersecurity training -- including real-life testing."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?