Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023,
That's according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world.
SOGU is the "most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals," the Google-owned threat intelligence firm said.
The activity has been attributed to a China-based cluster called TEMP.Hex, which is also tracked under the names Camaro Dragon, Earth Preta, and Mustang Panda. Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S.
The infection chain detailed by Mandiant exhibits tactical commonalities with another Mustang Panda campaign uncovered by Check Point, which took the wraps off a strain of self-propagating malware called WispRider that spreads through compromised USB drives and potentially breach air-gapped systems.
It all starts with a malicious USB flash drive plugged into a computer, leading to the execution of PlugX (aka Korplug), which then decrypts and launches a C-based backdoor called SOGU that exfiltrates files of interest, keystrokes, and screenshots.
SNOWYDRIVE Targets Oil and Gas Organizations in Asia
The second cluster to leverage the USB infiltration mechanism is UNC4698, which has singled out oil and gas organizations in Asia to deliver the SNOWYDRIVE malware to execute arbitrary payloads on the hacked systems.
"Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands," Mandiant researchers Rommel Joven and Ng Choon Kiat said. "It also spreads to other USB flash drives and propagates throughout the network."
In these attacks, the victim is lured into clicking on a booby-trapped file that masquerades as a legitimate executable, thereby activating a chain of malicious actions, starting with a dropper that establishes a foothold, followed by executing the SNOWYDRIVE implant.
Some of the functionalities of the backdoor consist of carrying out file and directory searches, uploading and downloading files, and launching a reverse shell.
"Organizations should prioritize implementing restrictions on access to external devices such as USB drives," the researchers said. "If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal networks."