A new report by Mandiant reveals a concerning threefold increase in USB-delivered malware during the first half of 2023. The report highlights two major campaigns, ‘Sogu’ and ‘Snowydrive,’ attributed to threat groups TEMP.HEX and UNC4698, respectively.
These campaigns target various industries worldwide, with Sogu being identified as the most aggressive USB-assisted cyber-espionage operation, attempting to steal data from infected computers across multiple countries.
The Sogu campaign, in particular, utilizes a payload named ‘Korplug’ to load C shellcode into memory through DLL order hijacking. It establishes persistence, conducts system reconnaissance, and exfiltrates valuable data to a command-and-control server.
Similarly, the Snowydrive campaign infects computers with a backdoor, allowing attackers to execute arbitrary payloads, modify the registry, and propagate through connected USB drives.
While USB attacks require physical access to the target computers, their unique advantages, such as bypassing security mechanisms and providing initial access to corporate networks, make them a persistent threat. Mandiant’s investigation highlights print shops and hotels as potential infection hotspots for USB malware.
With the indiscriminate nature of these attacks, any system with a USB port remains vulnerable, emphasizing the need for enhanced security measures and awareness among organizations to mitigate the risks posed by these resurgent campaigns.