S0452 USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.1
| Item | Value |
|---|---|
| ID | S0452 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 20 May 2020 |
| Last Modified | 16 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | USBferry can use net user to gather information about local accounts.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | USBferry can execute various Windows commands.1 |
| enterprise | T1005 | Data from Local System | USBferry can collect information from an air-gapped host machine.1 |
| enterprise | T1083 | File and Directory Discovery | USBferry can detect the victim’s file or folder list.1 |
| enterprise | T1120 | Peripheral Device Discovery | USBferry can check for connected USB devices.1 |
| enterprise | T1057 | Process Discovery | USBferry can use tasklist to gather information about the process running on the infected system.1 |
| enterprise | T1018 | Remote System Discovery | USBferry can use net view to gather information about remote systems.1 |
| enterprise | T1091 | Replication Through Removable Media | USBferry can copy its installer to attached USB storage devices.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | USBferry can execute rundll32.exe in memory to avoid detection.1 |
| enterprise | T1016 | System Network Configuration Discovery | USBferry can detect the infected machine’s network topology using ipconfig and arp.1 |
| enterprise | T1049 | System Network Connections Discovery | USBferry can use netstat and nbtstat to detect active network connections.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0081 | Tropic Trooper | 1 |