Usbstealer: USB info-Stealer targeting various organizations systems


The Dell SonicWall Threats Research team observed reports of a USB info Stealer Trojan named GAV: Usbstealer.AD and Usbstealer.AP targeting various organizations systems. Unlike most malware which make use of vulnerable Network Services to spread to other machines in the network, these malware are specifically designed to infect USB removable devices. USB Stealer targeting isolated computers from the Internet. Once the target system is compromised (infected by USB device connected to the system A), the malware tries to grab sensitive data files from the system B (isolated system) and transfer it to USB, after that when infected USB Connected to System A Again it will copy all files to system A.

Infection Cycle:

Md5: d7386708e70b5b5c015dbad1ad43a9a6, 8cb08140ddb00ac373d29d37657a03cc

The malware create a service such as USB Disk Security or USBGuard in the system also create an auto startup key in registry such as following:

  • HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionRun
  • File path = C:WINDOWSsystem32USBGuard.exe service

Here is an example of created service in registry:

The malware adds the following files to the system:

  • %userprofile%Music[Computer Name ][Computer Name ].lst
  • %userprofile%Musicend
  • [USB Drive]:System Volume
  • [USB Drive]:System Volume InformationS-1-5-21-1315235578-283289242[Computer Name ][Random Number ]
  • [USB Drive]:System Volume InformationS-1-5-21-1315235578-283289242[Computer Name ] [Computer Name ].lst

In first run malware tries to retrieve list of all files and folders and drops this file [Computer Name].lst, into Music folder.

Here is a sample of the file:

After malware retrieve all files on the system it will create a null file called End on music folder, then it will be waiting to infected USB again then transfer all grabbed files into the System Volume Information folder.

The malware looking for all files with following extensions:

  • .pkr
  • .skr
  • .key

The malware searches for these files except in folders contain the following antivirus names such as:

After that it makes a copy of those files into Music folder such as following:

Once a new USB drive is inserted into the system malware drops the USBGuard.exe onto the drive and also drops Autorun.inf file into root of that USB drive such as following:

Also malware transfer all files into the infected USB, here is an example on following:

When target user double clicking on the USB drive and right click option Explore executes USBGuard.exe.

The attack only works if Autorun is enabled on the targeted computer. The feature was deactivated by Microsoft in 2009 with the release of a Windows KB971029 update.

The malware also marks the USB drive as having been used on a machine with an Internet connection when drops into System Volume Information folder.

Once the files are transferred to System A, the attackers need to use another malware to copy the data to their own servers because the malware doesn’t have such network capabilities.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Usbstealer.AD and Usbstealer.AP
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.