Skip to content

S0452 USBferry

USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.1

Item Value
ID S0452
Associated Names
Version 1.0
Created 20 May 2020
Last Modified 16 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account USBferry can use net user to gather information about local accounts.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell USBferry can execute various Windows commands.1
enterprise T1005 Data from Local System USBferry can collect information from an air-gapped host machine.1
enterprise T1083 File and Directory Discovery USBferry can detect the victim’s file or folder list.1
enterprise T1120 Peripheral Device Discovery USBferry can check for connected USB devices.1
enterprise T1057 Process Discovery USBferry can use tasklist to gather information about the process running on the infected system.1
enterprise T1018 Remote System Discovery USBferry can use net view to gather information about remote systems.1
enterprise T1091 Replication Through Removable Media USBferry can copy its installer to attached USB storage devices.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 USBferry can execute rundll32.exe in memory to avoid detection.1
enterprise T1016 System Network Configuration Discovery USBferry can detect the infected machine’s network topology using ipconfig and arp.1
enterprise T1049 System Network Connections Discovery USBferry can use netstat and nbtstat to detect active network connections.1

Groups That Use This Software

ID Name References
G0081 Tropic Trooper 1