Stealthy USB Trojan hides in portable applications, targets air-gapped systems

24.03.2016
A Trojan program is being distributed through USB drives and seems to be designed for stealing information from so-called air-gapped computers that are not connected to the Internet.

The new Trojan has been dubbed USB Thief by security researchers from antivirus firm ESET and has several characteristics that set it apart from the traditional malware programs that spread using USB storage devices and the Windows Autorun feature.

First of all, USB Thief infects USB drives that contain portable installations of popular applications like Firefox, NotePad++ or TrueCrypt. It's copied to such installations as a plug-in or DLL (dynamic link library) and is then executed along with those applications.

In some scenarios, especially when dealing with air-gapped computers, users will temporarily run an application directly from an USB stick in order to avoid installing it on the system itself. There are "portable" versions of many popular applications and they don't leave any files or registry entries on the system after being used.

The practice is also common among PC support technicians or systems administrators who frequently have to troubleshoot problems on users' computers, so they carry around a USB stick with portable versions of their favorite tools.

USB Thief Trojan is a multi-stage malware program, made up of three executables, each loading the next component in the chain, two encrypted configuration files and a final payload.

Except for the first loader, which is named after a legitimate plug-in or DLL of a portable application, the names of the other components are determined based on cryptographic operations and are different from one infected USB drive to another.

For example, the first loader will calculate a SHA512 hash of its own contents combined with the its own creation date and will attempt to execute a file whose name matches that hash. That would be the second loader.

The second loader will check if it was started by the correct parent and then will attempt to decrypt a configuration file whose name is the SHA512 hash of its own contents and creation times tamp.

The configuration file is encrypted with the AES128 algorithm and the key is computed from the USB device's unique ID combined of its disk properties. The second loader will then attempt to run a third loader, whose name is the SHA512 hash of the configuration file's contents and its creation time, and so on.

All of these cryptographic verifications make it extremely hard to analyze the malware without physical access to the specific USB device for which it created. Copying the files to a different USB device or computer will break the execution chain because the file creation dates will be modified. The configuration files will also not be decrypted without the unique USB ID.

The final payload is injected into a new Windows svchost.exe process and reads instructions from the second encrypted configuration file. These instructions define which information to steal from the computer, where to store it and how to encrypt it.

"In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said in a blog post.

The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers said.

All of these special characteristics -- the malware being tied to the USB device it's installed on, the use of strong encryption and cryptographically verified multi-stage execution -- suggests that it was designed for targeted attacks, particularly against air-gapped systems.

Since there is no attempt to immediately send the stolen data over an Internet connection to an external server, it's reasonable to assume that the attackers have the ability to retrieve it from the infected USB drives at a later time.

USB Thief could be a component of a larger cyberespionage platform, for example one that infected Internet-connected computers used by an organization's IT staff. In that case, the attackers would simply wait for those employees to plug the infected USB sticks back into their computers after using them on air-gapped systems and then retrieve the stolen data.

There is precedent for such behavior. The Equation group, which is responsible for one of the most sophisticated and long-running cyberespionage campaigns in history, has used an USB worm called Fanny to both infect air-gapped systems and then pass commands to them.

It would not be difficult to redesign USB Thief to change its data-stealing payload to any other malicious payload, the ESET researchers said.

ESET's statistics shows that this new Trojan is not very widespread, but that's not surprising giving its nature.

"USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use," said Tomáš Gardo?, a malware analyst at ESET, in a separate blog post. "It’s highly desirable for staff at all levels to undergo cybersecurity training -- including real-life testing."

Lucian Constantin