6 Malware On Your USB
Are you carrying a loaded cyber weapon?
Most of us know better than to use a USB stick that has been conveniently left somewhere. But even the most informed aren’t always careful. Would you be suspicious of a USB handed as a prise during a cyber security expo? “People see these things as nothing more than storage devices; they don’t realise there’s a reprogrammable computer in their hands,” says security researcher Adam Caudill.
Curiosity and carelessness have been widely exploited by cyber criminals to spread malware epidemics. The naivety of victims who continue using -and spreading- infected devices has even generated an acronym in security circles: PICNIC – problem in chair, not in computer.
But researchers argue that USBs aren’t just challenging security by carrying malware – they are problematic by design. Writer Andy Greenberg, in tragi-comic fashion, proposes two solutions: banning the sharing of USBs altogether, or filling our ports with superglue.
Abandoning these devices for cloud-based storage alternatives might be an option now. But USBs are doomed to remain an instrument for compromising computers, stealing information, and disrupting critical infrastructure. That’s for one simple reason: they can reach air-gapped networks.
Here are 6 malware that are culprits of this:
1) Dark Tequila
Reported in 2018 by Kaspersky Lab, Dark Tequila is a complex banking malware targeting consumers and corporate victims in Mexico since at least 2013. It spreads via USB and was designed to steal victims’ financial information from online banking sites, as well as login credentials from popular websites –including Amazon, Dropbox, and Bitbucket.
Once executed, Dark Tequila is monitored and controlled by the threat actor behind it. Dark Tequila includes a USB infector module that allows it to replicate and infect additional computers via removable drives. It runs automatically when plugged to other systems [TheHackerNews].
Sality automatically copies itself from infected machines onto USB drives, creating malicious shortcuts (LNKs) that launch the worm as soon as they are open. Sality creates a peer-to-peer botnet (a decentralised group of malware-compromised machines working simultaneously) and then attempts to disable machines’ security software and configurations [Symantec].
This worm copies its executable file to a computer folder and then modifies registry keys (so that it launches automatically when the operating system starts). When a USB or other removable drive is detected, the worm copies an executable file to its root too [Kaspersky Lab].
Dinihou creates shortcuts to imitate all files and folders at the root of the infected disk. The user sees these shortcuts instead of the real folders and files they are pretending to be. As soon as one of them is opened, the worm is launched [Kaspersky Lab].
Dinihou’s goal is to disrupt computer activities and collect information about its software and hardware configurations.
Stuxnet remains one of the most malicious exploits ever spread via removable media. In 2009 and 2010, it targeted the industrial control software and equipment of Iran’s Natanz nuclear facility, disrupting operations and destroying 20% of their centrifuges. It by-passed the facility’s security barriers and spread among computers with no external network connections because of a contaminated USB.
Created shortly before Stuxnet, in 2008, this cyberespionage malware toolset used the same LNK exploit to spread from USB drives to air-gapped machines. When operational, Fanny used two zero-day exploits which have been patched since its discovery.
Fanny was designed to be universal and operate on multiple platforms. Its true target remains unknown, but a high number of infections were identified in Pakistan [Kaspersky Lab]. Could this have been a trial version of the infamous Stuxnet?
6) USB Thief
A data-stealing malware that is not just USB based, but bound to a single device – so that it can’t be duplicated or copied. This Trojan is difficult to recognise because of a self-protecting mechanism to avoid detection.
USB Thief is a tool of industrial cyber espionage. Its peculiar ability to bypass air-gapped security shows that it was designed as a weapon for unauthorised targeted attacks [TechTimes].
Written by Paula Magal for Qatalyst Global’s NordX – the inaugural Cyber Security Summit dedicated to the Nordic Region. Sign up for Qatalyst Global’s newsletters for more content like this and follow them on LinkedIn to be the first to know about upcoming discounts on conference passes.