USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1119 | Automated Collection |
For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[1] |
|
| Enterprise | T1020 | Automated Exfiltration |
USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. [1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."[1] |
| Enterprise | T1092 | Communication Through Removable Media |
USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1] |
|
| Enterprise | T1025 | Data from Removable Media |
Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.[1][2] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[1][2] |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
USBStealer exfiltrates collected files via removable media from air-gapped victims.[1] |
| Enterprise | T1083 | File and Directory Discovery |
USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[1][2] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |