Stealthy USB Trojan hides in portable applications, targets air-gapped systems

The USB Thief Trojan makes extensive use of cryptography to hinder analysis and hide data

A Trojan program is being distributed through USB drives and seems to be designed for stealing information from so-called air-gapped computers that are not connected to the Internet.

The new Trojan has been dubbed USB Thief by security researchers from antivirus firm ESET and has several characteristics that set it apart from the traditional malware programs that spread using USB storage devices and the Windows Autorun feature.

First of all, USB Thief infects USB drives that contain portable installations of popular applications like Firefox, NotePad++ or TrueCrypt. It's copied to such installations as a plug-in or DLL (dynamic link library) and is then executed along with those applications.

In some scenarios, especially when dealing with air-gapped computers, users will temporarily run an application directly from an USB stick in order to avoid installing it on the system itself. There are "portable" versions of many popular applications and they don't leave any files or registry entries on the system after being used.

The practice is also common among PC support technicians or systems administrators who frequently have to troubleshoot problems on users' computers, so they carry around a USB stick with portable versions of their favorite tools.

USB Thief Trojan is a multi-stage malware program, made up of three executables, each loading the next component in the chain, two encrypted configuration files and a final payload.

Except for the first loader, which is named after a legitimate plug-in or DLL of a portable application, the names of the other components are determined based on cryptographic operations and are different from one infected USB drive to another.

For example, the first loader will calculate a SHA512 hash of its own contents combined with the its own creation date and will attempt to execute a file whose name matches that hash. That would be the second loader.

The second loader will check if it was started by the correct parent and then will attempt to decrypt a configuration file whose name is the SHA512 hash of its own contents and creation times tamp.

The configuration file is encrypted with the AES128 algorithm and the key is computed from the USB device's unique ID combined of its disk properties. The second loader will then attempt to run a third loader, whose name is the SHA512 hash of the configuration file's contents and its creation time, and so on.

All of these cryptographic verifications make it extremely hard to analyze the malware without physical access to the specific USB device for which it created. Copying the files to a different USB device or computer will break the execution chain because the file creation dates will be modified. The configuration files will also not be decrypted without the unique USB ID.

The final payload is injected into a new Windows svchost.exe process and reads instructions from the second encrypted configuration file. These instructions define which information to steal from the computer, where to store it and how to encrypt it.

"In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said in a blog post.

The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers said.

All of these special characteristics -- the malware being tied to the USB device it's installed on, the use of strong encryption and cryptographically verified multi-stage execution -- suggests that it was designed for targeted attacks, particularly against air-gapped systems.

Since there is no attempt to immediately send the stolen data over an Internet connection to an external server, it's reasonable to assume that the attackers have the ability to retrieve it from the infected USB drives at a later time.

USB Thief could be a component of a larger cyberespionage platform, for example one that infected Internet-connected computers used by an organization's IT staff. In that case, the attackers would simply wait for those employees to plug the infected USB sticks back into their computers after using them on air-gapped systems and then retrieve the stolen data.

There is precedent for such behavior. The Equation group, which is responsible for one of the most sophisticated and long-running cyberespionage campaigns in history, has used an USB worm called Fanny to both infect air-gapped systems and then pass commands to them.

It would not be difficult to redesign USB Thief to change its data-stealing payload to any other malicious payload, the ESET researchers said.

ESET's statistics shows that this new Trojan is not very widespread, but that's not surprising giving its nature.

"USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use," said Tomáš Gardoň, a malware analyst at ESET, in a separate blog post. "It’s highly desirable for staff at all levels to undergo cybersecurity training -- including real-life testing."

Join the CSO newsletter!

Error: Please check your email address.

More about ESET

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts