In the first half of 2023, Mandiant observed at least a 3x increase in the use of infected USB drives to steal confidential data. Previously, Mandiant disclosed an attack in the Philippines. This article describes two other USB drive-based cyber espionage operations discovered by researchers.
CSDN gift package: “Hacker &Network Security Introduction &Advanced Learning Resource Package” free sharing
Infection with SOGU malware via USB flash drive
This is an espionage attack using a USB flash drive and is targeting both the public and private sectors across a variety of industry verticals around the world. Attackers use USB flash drives to load SOGU malware to steal sensitive information from hosts.
Mandiant attributed the attack to the TEMP.Hex attack group, which targeted multiple industries in Europe, Asia and the United States, posing a threat to the construction, engineering, business services, government, health, transportation and retail industries.
Spreading SNOWYDRIVE malware via USB flash drive
Attackers used USB flash drives to spread SNOWYDRIVE malware. Once successfully loaded, a backdoor is created on the compromised host, allowing the attacker to remotely send commands that spread the malware to other flash drives to spread throughout the network.
Mandiant attributed the attacks to UNC4698, a group targeting oil and gas companies in Asia. Once access is gained, you can execute arbitrary commands, modify the registry, etc.
SOGU malware
Researchers first discovered the campaign by looking for suspicious file writes in open directories used by attackers to house malware, attack tools or utilities.
Distribution of victims by country
Distribution of victims by industry
Initial infection
Infected USB flash drives are the initial infection vector and contain multiple pieces of malware designed to load malicious payloads into memory via DLL hijacking.
Attack Chain
Foothold
The complete infection chain usually consists of three files: a legitimate executable file, a malicious DLL loading file, and an encrypted payload file. The following shows the malware files and paths discovered throughout the attack cycle:
The commonly used legal executable file is security software
When the legitimate executable is executed, a malicious DLL file (KORPLUG) is loaded. KORPLUG will then load the shellcode data in the encrypted dat file and execute it in memory. The shellcode is a backdoor written in C and named SOGU.
Reconnaissance
Continue reconnaissance by placing the batch file under the RECYCLE.BIN path. This batch file probes the host and outputs the results to a file named c3lzLmluZm8. After base64 decoding, c3lzLmluZm8 is sys.info. The script executes the following commands to collect system-specific metadata:
- tasklist/v
- arp -a
- netstat -ano
- ipconfig /all
- systeminfo
The malware then retrieves files with the following extensions on the C drive:
- .doc
- .docx
- .ppt
- .pptx
- .xls
- .xlsx
The malware encrypts a copy of each file, base64-encodes the original file name, and places the encrypted files into the following directory:
- C:\Users\AppData\Roaming\Intel\
- :\RECYCLER.BIN\
Persistence
To remain persistent, the malware needs to create a directory disguised as a legitimate program and set the directory’s attributes to hidden. Then, copy the main components to this directory. Commonly used file paths are as follows:
- C:\ProgramData\AvastSvcpCP
- C:\ProgramData\AAM UpdatesHtA
- C:\ProgramData\AcroRd32cWP
- C:\ProgramData\Smadav\SmadavNSK
Then create a Run registry key with the same name as the previously created directory, which is used to automatically run the program when the user logs in:
- Value: AvastSvcpCP
- Text: C:\ProgramData\AvastSvcpCP\AvastSvc.exe
- Value: AAM UpdatesHtA
- Text: C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe
- Value: AcroRd32cWP
- Text: C:\ProgramData\AcroRd32cWP\AcroRd32.exe
- Value: SmadavNSK
- Text: C:\ProgramData\Smadav\SmadavNSK\Smadav.exe
Some SOGU variants may create an additional scheduled task (SCHTASKS.exe /create /sc minute /mo 10 /tn “Autodesk plugin” /tr “””“C:\ProgramData\Smadav\SmadavNSK\ Smadav.exe””” 644″ /f). The malware is run every ten minutes for persistence.
Complete the task
In the final stage of the attack, the malware will send back all data. Communication uses custom protocols such as HTTP, HTTPS, TCP or UDP, as well as ICMP. The malware also supports a variety of commands, including file transfer, file execution, remote desktop, screenshots, reverse shell, and keylogging.
The malware can also be copied to new removable devices of the compromised host, allowing the malware to spread to other devices, which can also transmit data back across the air-gapped network.
SNOWYDRIVE attacks Asian oil and gas companies
When users are lured into executing malware on a USB drive, they will often find the command line retrieving suspicious folder paths. While this type of threat is not uncommon, researchers insist they discovered a special espionage operation.
Initial infection
An infected USB flash drive is the initial infection vector, and victims are lured into clicking on the malware that turns into a legitimate executable file. Once executed, a series of malicious behaviors will be triggered.
Attack Chain
Foothold
The infection chain usually starts with an executable file, which writes the malicious file to disk and starts it. For example, a malicious program named USB Drive.exe writes the following encrypted file to C:\Users\Public\SymantecsThorvices\Data:
- aweu23jj46jm7dc
- bjca3a0e2sfbs
- asdigasur3ase
- sf33kasliaeae
- sf24acvywsake
The encrypted files contain executable and DLL files extracted and written in the directory C:\Users\Public\SymantecsThorvices\Bin.
Component status
These files are divided into four parts, and each part is composed of a malicious DLL file loaded by a legitimate executable file through DLL sequential hijacking. As shown below, each component is responsible for a part of the attack.
Component list
Command and Control
The shellcode-based backdoor called SNOWYDRIVE generates a unique identifier based on the system name, username, and volume serial number. This identifier is used as a unique ID when communicating with C &C, and the C &C domain name is usually hardcoded in the shellcode.
Hardcoded domain name
The backdoor supports the following commands:
Support commands
Persistence
The malware uses the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba registry key for persistence, which stores the path to Silverlight.Configuration.exe.
Lateral translation
The malware copies itself and inserts itself into the compromised host’s removable drive. First create the folder aweu23jj46jm7dc and write it to
Impact
Mandiant identified print shops, printers, and hotels as the focus of attacks that may be part of a long-term information collection effort or may be part of a follow-up campaign targeting nation-state actors.
Organizations should prioritize restricting access to external devices such as USB drives, if not then at least scanning for malicious code first.
Yara
SOGU
rule M_Code_SOGU{meta:author = "Mandiant"description = "Hunting rule for SOGU"sha256 = "8088b1b1fabd07798934ed3349edc468062b166d5413e59e78216e69e7ba58ab"strings:$sb1 = { 8B [2] C7 01 03 19 20 8B [2] C7 04 01 10 00 00 8B [2] C7 08 00 00 00 00 8B [2] C7 0C 00 00 00 00 0F B7 }$sb2 = { 8B 0C C7 01 03 19 20 8B 0C C7 04 00 10 00 00 6A 40 E8 [4] 83 C4 04 8B 0C 89 08 8B 0C C7 0C 00 00 00 00 C7 [2] 00 00 00 00 EB 09 8B [2] 83 01 89 [2] 8B 0C 8B [2] 3? 08 7? 68 FF 00 00 00 E8 [4] 83 C4 04 8B [2] 03 [2] 88 10 EB D4 }condition:(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x010B) and all of them}
FROZENHILL
rule M_Code_FROZENHILL {meta:author = "Mandiant"description = "Hunting rule for FROZENHILL"sha256 = "89558b4190abcdc1a2353eda591901df3bb8856758f366291df85c5345837448"strings:$str1 = \ "path_symantec" ascii$str2 = "symantec_dir\ " ascii$str3 = "name_svchost" ascii$str4 = "run_cmd" ascii$str5 = "usb_dll_name" ascii$str6 = "name_mutex" ascii$str7 = "cmd /c " %s" %d" wide$str8 = { 8B 85 [4] 83 01 89 85 [4] 8B 85 [4] 3B 45 0C 74 8B 45 03 85 [4] 0F B6 08 33 8D [4] 81 E1 [4] 8B 95 [4] C1 EA 33 94 8D [4] 89 95 [4] EB } condition:uint16(0) == 0x5A4D and uint32(uint32(0x3C) ) == 0x00004550 and all of them}
ZIPZAG
rule M_Code_ZIPZAG{meta:author = "Mandiant"description = "Hunting rule for ZIPZAG"sha256 = "8a968a91c78916a0bb32955cbedc71a79b06a21789cab8b05a037c8f2105e0aa"strings:$str1 = { C6 45 55 C6 45 8B C6 45 EC C6 45 81 C6 45 EC C6 45 08 C6 45 01 C6 45 00 C6 45 00 C6 45 C7 C6 45 45 C6 45 FC C6 45 78 C6 45 56 C6 45 34 C6 45 12 C6 45 68 C6 45 04 C6 45 01 C6 45 00 C6 45 00 C6 45 8D C6 45 85 C6 45 F8 C6 45 FE C6 45 FF C6 45 FF C6 45 50 C6 45 FF C6 45 75 C6 45 FC C6 45 B8 C6 45 79 C6 45 56 C6 45 34 C6 45 12 C6 45 FF C6 45 D0 C6 45 FF C6 45 75 C6 45 FC C6 45 B8 C6 45 7A C6 45 56 C6 45 34 C6 45 12 C6 45 FF C6 45 D0 C6 45 8D C6 45 85 C6 45 F8 C6 45 FE C6 45 FF C6 45 FF C6 45 50 C6 45 B8 C6 45 7B C6 45 56 C6 45 34 C6 45 12 C6 45 FF C6 45 D0 C6 45 C9 C6 45 C3 } $str2 = "shellcode_size" asciicondition:uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them}
SNOWYDRIVE
rule M_Code_SNOWYDRIVE{meta:author = "Mandiant"description = "Hunting rule for SNOWYDRIVE"sha256 = "964c380bc6ffe313e548336c9dfaabbd01a5519e8635adde42eedb7e1187c0b3"strings:$str1 = { C6 4 5 6B C6 45 65 C6 45 72 C6 45 6E C6 45 65 C6 45 6C C6 45 33 C6 45 32 C6 45 2E C6 45 64 C6 45 6C C6 45 6C } $ str2 = { C6 45 47 C6 45 65 C6 45 74 C6 45 50 C6 45 72 C6 45 6F C6 45 63 C6 45 41 C6 45 64 C6 45 64 C6 45 72 C6 45 65 C6 45 73 C6 45 73 } $str3 = { C6 85 FD FF FF 4C C6 85 FD FF FF 6F C6 85 FD FF FF 61 C6 85 FD FF FF 64 C6 85 FD FF FF 4C C6 85 FD FF FF 69 C6 85 FD FF FF 62 C6 85 FD FF FF 72 C6 85 FD FF FF 61 C6 85 FD FF FF 72 C6 85 FD FF FF 79 C6 85 FD FF FF 41 } $str4 = { C6 85 FC FF FF 57 C6 85 FC FF FF 61 C6 85 FC FF FF 69 C6 85 FC FF FF 74 C6 85 FC FF FF 46 C6 85 FC FF FF 6F C6 85 FC FF FF 72 C6 85 FC FF FF 53 C6 85 FD FF FF 69 C6 85 FD FF FF 6E C6 85 FD FF FF 67 C6 85 FD FF FF 6C C6 85 FD FF FF 65 C6 85 FD FF FF 4F C6 85 FD FF FF 62 C6 85 FD FF FF 6A C6 85 FD FF FF 65 C6 85 FD FF FF 63 } condition:uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE and uint32(0) != 0xFEEDFACF and uint32(0) != 0xCEFAEDFE and all of them}
Hunting Rules
rule hunting_T1091_User Execution: Malicious File{meta:rule_name = "Replication Through Removable Media"description = "This rule detects a file write event from a RECYCLER/S named path to another directory"author = "Mandiant Managed Defense"mitre_technique_name = "User Execution: Malicious File"mitre_technique = "T1204"mitre_tactic_name = "Execution"platform = "Windows"events: $e.target.process.path = ": \RECYCLER.BIN" nocase or$e.target.process.path = ":\RECYCLERS.BIN" nocase}condition:$e}rule hunting_T1091_Replication_Through_Removable_Media{meta:rule_name = "Replication Through Removable Media"description = "This rule detects windows explorer process execution with a suspicious folder path specified on the command line"author = "Mandiant Managed Defense"mitre_technique_name = "Replication Through Removable Media"mitre_technique = " T1091"mitre_tactic_name = "Lateral Movement,Initial Access"platform = "Windows"events:$e.target.process = "explorer.exe" and{re.regex($e.principal.process. command_line, = `/explorer.exe?(")?\s + (")?[A-BD-Za-bd-z]:\/`) nocase andre.regex ($e.principal.process.full_path, `:\[^\] + \.exe$`) nocase}condition:$e}
IOC
ebb7749069a9b5bcda98d89f04d889db
b061d981d224454ffd8d692cf7ee92b7
38baabddffb1d732a05ffa2c70331e21
FC55344597d540453326d94eb673e750
028201d92b2b41cb6164430232192062
722b15bbc15845e4e265a1519c800c34
ab5d85079e299ac49fcc9f12516243de
848feec343111bc11cceb828b5004aad
e1cea747a64c0d74e24419ab1afe1970
www.beautyporntube[.]com
45.142.166[.]112
103.56.53[.]46
45.251.240[.]55
43.254.217[.]165
Friends, if you need the complete set of “Hacking & Network Security Introduction & Advanced Learning Resource Pack”, click the link below to get it for free
CSDN gift package: “Hacker & Network Security Introduction & Advanced Learning Resource Package”
This complete version of the learning materials has been uploaded to CSDN, and you can also scan the CSDN official certification QR code below on WeChat to get it for free [Guaranteed 100% Free]
