USBferry

USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.^[1]

ID: S0452

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 20 May 2020

Last Modified: 16 June 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	USBferry can collect information from an air-gapped host machine.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	USBferry can execute various Windows commands.^[1]
Enterprise	T1120		外围设备发现	USBferry can check for connected USB devices.^[1]
Enterprise	T1083		文件和目录发现	USBferry can detect the victim's file or folder list.^[1]
Enterprise	T1218	.011	系统二进制代理执行: Rundll32	USBferry can execute rundll32.exe in memory to avoid detection.^[1]
Enterprise	T1049		系统网络连接发现	USBferry can use `netstat` and `nbtstat` to detect active network connections.^[1]
Enterprise	T1016		系统网络配置发现	USBferry can detect the infected machine's network topology using `ipconfig` and `arp`.^[1]
Enterprise	T1087	.001	账号发现: Local Account	USBferry can use `net user` to gather information about local accounts.^[1]
Enterprise	T1057		进程发现	USBferry can use `tasklist` to gather information about the process running on the infected system.^[1]
Enterprise	T1018		远程系统发现	USBferry can use `net view` to gather information about remote systems.^[1]
Enterprise	T1091		通过可移动媒体复制	USBferry can copy its installer to attached USB storage devices.^[1]

Groups That Use This Software

ID	Name	References
G0081	Tropic Trooper	^[1]

References

Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

USBferry

Enterprise Layer

Techniques Used

Groups That Use This Software

References