S0136 USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. 1 2
| Item | Value |
|---|---|
| ID | S0136 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 19 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1119 | Automated Collection | For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.1 |
| enterprise | T1020 | Automated Exfiltration | USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. 1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | USBStealer registers itself under a Registry Run key with the name “USB Disk Security.”1 |
| enterprise | T1092 | Communication Through Removable Media | USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.1 |
| enterprise | T1025 | Data from Removable Media | Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.12 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.12 |
| enterprise | T1052 | Exfiltration Over Physical Medium | - |
| enterprise | T1052.001 | Exfiltration over USB | USBStealer exfiltrates collected files via removable media from air-gapped victims.1 |
| enterprise | T1083 | File and Directory Discovery | USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | USBStealer has several commands to delete files associated with the malware from the victim.1 |
| enterprise | T1070.006 | Timestomp | USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | USBStealer mimics a legitimate Russian program called USB Disk Security.1 |
| enterprise | T1027 | Obfuscated Files or Information | Most strings in USBStealer are encrypted using 3DES and XOR and reversed.1 |
| enterprise | T1120 | Peripheral Device Discovery | USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.1 |
| enterprise | T1091 | Replication Through Removable Media | USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 3 |
References
-
Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. ↩↩↩↩
-
ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. ↩