Stealthy USB Trojan hides in portable applications, targets air-gapped systems

The USB Thief Trojan makes extensive use of cryptography to hinder analysis and hide data

A Trojan program is being distributed through USB drives and seems to be designed for stealing information from so-called air-gapped computers that are not connected to the Internet.

The new Trojan has been dubbed USB Thief by security researchers from antivirus firm ESET and has several characteristics that set it apart from the traditional malware programs that spread using USB storage devices and the Windows Autorun feature.

First of all, USB Thief infects USB drives that contain portable installations of popular applications like Firefox, NotePad++ or TrueCrypt. It's copied to such installations as a plug-in or DLL (dynamic link library) and is then executed along with those applications.

In some scenarios, especially when dealing with air-gapped computers, users will temporarily run an application directly from an USB stick in order to avoid installing it on the system itself. There are "portable" versions of many popular applications and they don't leave any files or registry entries on the system after being used.

The practice is also common among PC support technicians or systems administrators who frequently have to troubleshoot problems on users' computers, so they carry around a USB stick with portable versions of their favorite tools.

USB Thief Trojan is a multi-stage malware program, made up of three executables, each loading the next component in the chain, two encrypted configuration files and a final payload.

Except for the first loader, which is named after a legitimate plug-in or DLL of a portable application, the names of the other components are determined based on cryptographic operations and are different from one infected USB drive to another.

For example, the first loader will calculate a SHA512 hash of its own contents combined with the its own creation date and will attempt to execute a file whose name matches that hash. That would be the second loader.

The second loader will check if it was started by the correct parent and then will attempt to decrypt a configuration file whose name is the SHA512 hash of its own contents and creation times tamp.

The configuration file is encrypted with the AES128 algorithm and the key is computed from the USB device's unique ID combined of its disk properties. The second loader will then attempt to run a third loader, whose name is the SHA512 hash of the configuration file's contents and its creation time, and so on.

All of these cryptographic verifications make it extremely hard to analyze the malware without physical access to the specific USB device for which it created. Copying the files to a different USB device or computer will break the execution chain because the file creation dates will be modified. The configuration files will also not be decrypted without the unique USB ID.

The final payload is injected into a new Windows svchost.exe process and reads instructions from the second encrypted configuration file. These instructions define which information to steal from the computer, where to store it and how to encrypt it.

"In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said in a blog post.

The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers said.

All of these special characteristics -- the malware being tied to the USB device it's installed on, the use of strong encryption and cryptographically verified multi-stage execution -- suggests that it was designed for targeted attacks, particularly against air-gapped systems.

Since there is no attempt to immediately send the stolen data over an Internet connection to an external server, it's reasonable to assume that the attackers have the ability to retrieve it from the infected USB drives at a later time.

USB Thief could be a component of a larger cyberespionage platform, for example one that infected Internet-connected computers used by an organization's IT staff. In that case, the attackers would simply wait for those employees to plug the infected USB sticks back into their computers after using them on air-gapped systems and then retrieve the stolen data.

There is precedent for such behavior. The Equation group, which is responsible for one of the most sophisticated and long-running cyberespionage campaigns in history, has used an USB worm called Fanny to both infect air-gapped systems and then pass commands to them.

It would not be difficult to redesign USB Thief to change its data-stealing payload to any other malicious payload, the ESET researchers said.

ESET's statistics shows that this new Trojan is not very widespread, but that's not surprising giving its nature.

"USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use," said Tomáš Gardoň, a malware analyst at ESET, in a separate blog post. "It’s highly desirable for staff at all levels to undergo cybersecurity training -- including real-life testing."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?