Usbstealer: USB info-Stealer targeting various organizations systems
The Dell SonicWall Threats Research team observed reports of a USB info Stealer Trojan named GAV: Usbstealer.AD and Usbstealer.AP targeting various organizations systems. Unlike most malware which make use of vulnerable Network Services to spread to other machines in the network, these malware are specifically designed to infect USB removable devices. USB Stealer targeting isolated computers from the Internet. Once the target system is compromised (infected by USB device connected to the system A), the malware tries to grab sensitive data files from the system B (isolated system) and transfer it to USB, after that when infected USB Connected to System A Again it will copy all files to system A.
Infection Cycle:
Md5: d7386708e70b5b5c015dbad1ad43a9a6, 8cb08140ddb00ac373d29d37657a03cc
The malware create a service such as USB Disk Security or USBGuard in the system also create an auto startup key in registry such as following:
- HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionRun
- File path = C:WINDOWSsystem32USBGuard.exe service
Here is an example of created service in registry:
The malware adds the following files to the system:
- %userprofile%Music[Computer Name ][Computer Name ].lst
- %userprofile%Musicend
- [USB Drive]:System Volume Informationdesktop.in
- [USB Drive]:System Volume InformationS-1-5-21-1315235578-283289242[Computer Name ][Random Number ]
- [USB Drive]:System Volume InformationS-1-5-21-1315235578-283289242[Computer Name ] [Computer Name ].lst
In first run malware tries to retrieve list of all files and folders and drops this file [Computer Name].lst, into Music folder.
Here is a sample of the file:
After malware retrieve all files on the system it will create a null file called End on music folder, then it will be waiting to infected USB again then transfer all grabbed files into the System Volume Information folder.
The malware looking for all files with following extensions:
- .pkr
- .skr
- .key
The malware searches for these files except in folders contain the following antivirus names such as:
After that it makes a copy of those files into Music folder such as following:
Once a new USB drive is inserted into the system malware drops the USBGuard.exe onto the drive and also drops Autorun.inf file into root of that USB drive such as following:
Also malware transfer all files into the infected USB, here is an example on following:
When target user double clicking on the USB drive and right click option Explore executes USBGuard.exe.
The attack only works if Autorun is enabled on the targeted computer. The feature was deactivated by Microsoft in 2009 with the release of a Windows KB971029 update.
The malware also marks the USB drive as having been used on a machine with an Internet connection when drops desktop.in into System Volume Information folder.
Once the files are transferred to System A, the attackers need to use another malware to copy the data to their own servers because the malware doesn’t have such network capabilities.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Usbstealer.AD and Usbstealer.AP