USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.[1][2] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
USBStealer mimics a legitimate Russian program called USB Disk Security.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."[1] |
| Enterprise | T1120 | 外围设备发现 |
USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[1][2] |
| Enterprise | T1083 | 文件和目录发现 |
USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[1][2] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
USBStealer has several commands to delete files associated with the malware from the victim.[1] |
| .006 | 移除指标: Timestomp |
USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.[1] |
||
| Enterprise | T1119 | 自动化收集 |
For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [1] |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[1] |
|
| Enterprise | T1092 | 通过可移动媒体通信 |
USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1] |
|
| Enterprise | T1052 | .001 | 通过物理介质渗出: Exfiltration over USB |
USBStealer exfiltrates collected files via removable media from air-gapped victims.[1] |