Skip to content

S0136 USBStealer

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. 1 2

Item Value
ID S0136
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 19 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1119 Automated Collection For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.1
enterprise T1020 Automated Exfiltration USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. 1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder USBStealer registers itself under a Registry Run key with the name “USB Disk Security.”1
enterprise T1092 Communication Through Removable Media USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.1
enterprise T1025 Data from Removable Media Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.12
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.12
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB USBStealer exfiltrates collected files via removable media from air-gapped victims.1
enterprise T1083 File and Directory Discovery USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.12
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion USBStealer has several commands to delete files associated with the malware from the victim.1
enterprise T1070.006 Timestomp USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location USBStealer mimics a legitimate Russian program called USB Disk Security.1
enterprise T1027 Obfuscated Files or Information Most strings in USBStealer are encrypted using 3DES and XOR and reversed.1
enterprise T1120 Peripheral Device Discovery USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.1
enterprise T1091 Replication Through Removable Media USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.1

Groups That Use This Software

ID Name References
G0007 APT28 3


Back to top