Mandiant Sees An Increase of USB Infections in 2023

Category: Threat Actor Activity | Industry: Global | Source: Mandiant

Researchers from Mandiant have noticed a notable rise in USB infections during the first half of 2023, with their metrics indicating a "threefold increase." The campaign, designated as "Campaign 22-054" by Mandiant, targets a wide range of industry sectors, with particular emphasis on "print shops and hotels" seen "as potential hotspots for infection." The threat actors are assessed to be opportunistic and distribute the USBs with the goal of stealing data from the victim organization and/or providing a foothold for later objectives. Malware attributed to the campaign includes SOGU and SNOWYDRIVE, with the latter being deployed against Asian entities associated with the oil and gas industry.

Following a USB infection, the attacker drops malicious payloads consisting of three files: "a legitimate executable, a malicious DLL loader, and an encrypted payload." These payloads serve to achieve DLL hijacking and establish a foothold. The attacker's lifecycle commences by implementing persistence mechanisms in the registry or scheduled tasks, escalating privileges, conducting reconnaissance through a batch script, propagating through the network, and ultimately culminating in the exfiltration of sensitive data. "At the last stage of the attack lifecycle, the malware will exfiltrate any data that has been staged. The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its command and control server. The malware was also found to support a wide range of commands, including file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging," as reported by Mandiant.