Threat Research

The Spies Who Loved You: Infected USB Drives to Steal Secrets | Mandiant

GoogleCloudIntel

Mandiant observed multiple USB-based espionage campaigns in 2023 that use infected USB flash drives to deliver multi-stage loaders, side-load malicious DLLs, run shellcode in memory, stage and encrypt sensitive files, and exfiltrate data to hard-coded C2 infrastructure. The most prominent families and actors described are SOGU delivered by TEMP.Hex and SNOWYDRIVE associated with UNC4698. #SOGU #SNOWYDRIVE #TEMP.Hex #UNC4698 #Mandiant

Keypoints

  • Initial infection uses infected USB flash drives that contain a benign executable, a malicious DLL loader, and an encrypted payload which is executed via DLL sideā€‘loading/hijacking.
  • SOGU campaign (attributed to TEMP.Hex) follows a three-file chain (legitimate EXE + malicious DLL loader KORPLUG + encrypted .dat payload) that decrypts and executes SOGU in memory.
  • SNOWYDRIVE campaign (attributed to UNC4698) uses a dropper on USBs that writes encrypted components to C:UsersPublicSymantecsThorvicesData and loads a shellcode-based backdoor (SNOWYDRIVE) via in-memory droppers like ZIPDLL.dll.
  • Postā€‘infection actions include host reconnaissance (tasklist/arp/netstat/ipconfig/systeminfo), searching and encrypting office/productivity files, staging encrypted copies in hidden directories, and setting Run registry keys or scheduled tasks for persistence.
  • Malware supports broad C2 and exfiltration methods (HTTP/HTTPS, custom TCP/UDP binary protocol, ICMP), remote commands (file transfer, exec, reverse shell, RDP, screenshots, keylogging), and selfā€‘replication to other removable drives enabling spread to airā€‘gapped systems.

MITRE Techniques

  • [T1091] Replication Through Removable Media ā€“ USB drives are used as the initial vector and to copy malware to newly attached drives (ā€˜An infected USB flash drive is the initial infection vector.ā€™).
  • [T1204] User Execution ā€“ Victims are tricked into launching malicious files on USB drives (ā€˜The victim is lured to click on a malicious file that is masquerading as a legitimate executable.ā€™).
  • [T1574.001] DLL Search Order Hijacking ā€“ Attackers use DLL sideā€‘loading to load malicious DLLs when a benign executable runs (ā€˜the flash drive contains multiple malicious software that is designed to load a malicious payload in memory through DLL hijackingā€™).
  • [T1547.001] Registry Run Keys and Startup Folder ā€“ Malware creates Run registry entries pointing to copied components to achieve persistence (ā€˜it creates a Run registry key with the same name as the directory created earlierā€™).
  • [T1053.005] Scheduled Task ā€“ Some SOGU variants create scheduled tasks to run the malware every 10 minutes to maintain persistence (ā€˜SCHTASKS.exe /create /sc minute /mo 10 ā€¦ā€™).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell ā€“ Actors execute arbitrary payloads and reconnaissance via the Windows command prompt (ā€˜execute arbitrary payloads using the Windows Command Promptā€™ and listed commands like tasklist /v, ipconfig /all).ā€™)
  • [T1083] File and Directory Discovery ā€“ Malware searches drives for targeted file extensions (.doc, .pdf, .xls, .pptx) to collect and stage sensitive documents (ā€˜the malware searches the C drive for files with the following extensions: .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdfā€™).
  • [T1005] Data from Local System ā€“ Collected files are encrypted and staged for exfiltration (ā€˜It encrypts a copy of each file, encodes the original filenames using Base64, and drops the encrypted filesā€™).
  • [T1041] Exfiltration Over C2 Channel ā€“ Staged data is exfiltrated over HTTP/HTTPS, custom TCP/UDP protocols, or ICMP to command-and-control servers (ā€˜The malware will exfiltrate any data that has been staged. The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMPā€™).

Indicators of Compromise

  • [File name] Staged/encrypted payload and loader names used in infections ā€“ AvastAuth.dat, smadavupdate.dat (used as encrypted payloads/loader artifacts for SOGU).
  • [SHA256 hash] Sample hashes from YARA rules and detections ā€“ 964c380bc6ffe313e548336c9dfaabbd01a5519e8635adde42eedb7e1187c0b3 (SNOWYDRIVE), 8088b1b1fabd07798934ed3349edc468062b166d5413e59e78216e69e7ba58ab (SOGU rule), and other hashes referenced in the report.
  • [Domain] Hard-coded C2 domains observed ā€“ www.beautyporntube[.]com (observed as a SNOWYDRIVE C2 domain).
  • [IP address] C2 infrastructure IP examples attributed to SOGU ā€“ 45.142.166[.]112, 103.56.53[.]46 (and additional IPs listed in the article).
  • [File path] Common working/install locations and USB artifact paths ā€“ <drive>:RECYCLER.BIN (USB working directory), C:ProgramDataAvastSvcpCP (masqueraded install path for persistence).

An infected USB drive typically contains a benign-looking executable, a malicious DLL loader, and an encrypted .dat payload. When a user executes the benign EXE (examples observed: CEFHelper.exe, Smadav.exe, AdobeUpdate.exe or dropper names like ā€œUSB Drive.exeā€), the loader DLL (e.g., wsc.dll, smadhook32c.dll, hex.dll, VNTFXF32.dll, libcurl.dll, ZIPDLL.dll) is sideā€‘loaded via DLL search order hijacking; that loader decrypts and executes shellcode in memory (tracked as KORPLUG dropping SOGU or ZIPDLL injecting SNOWYDRIVE). The dropper patterns include writing encrypted blobs to locations such as C:UsersPublicSymantecsThorvicesData or <drive>:RECYCLER.BIN<SOGU CLSID>, extracting components into a Bin directory, and using legitimate-sounding filenames to evade casual inspection.

After execution, the chain performs host reconnaissance (tasklist /v, arp -a, netstat -ano, ipconfig /all, systeminfo), searches for office and PDF files, creates encrypted copies with Base64-encoded filenames, and stages them under hidden directories (e.g., C:UsersAppDataRoamingIntel<base64 filename> or C:ProgramData). Persistence is achieved by creating hidden program directories, adding Run registry entries (examples: AvastSvcpCP -> C:ProgramDataAvastSvcpCPAvastSvc.exe; SmadavNSK -> C:ProgramDataSmadavSmadavNSKSmadav.exe), and sometimes scheduling a task to run every 10 minutes. SNOWYDRIVEā€™s components include modules that (1) install registry persistence, (2) drop and execute shellcode backdoors, (3) alter registry/file visibility settings to hide artifacts, and (4) infect other USB drives by creating a folder like <drive_root>KasperskyUsb Drive3.0 and copying encrypted installer files that extract <volume_name>.exe on insertion.

Command-and-control is done via hardā€‘coded domains or IPs embedded in shellcode; SNOWYDRIVE generates a unique ID from system name/user/volume serial and supports commands for file upload/download, create/terminate reverse shells, execute commands, list drives, and enumerate/search files. Exfiltration may use HTTP(S), a custom binary protocol over TCP/UDP, or ICMP. The malware also spreads to inserted removable media to propagate to other systems, enabling collection from networks and potentially airā€‘gapped environments. Read more: https://www.mandiant.com/resources/blog/infected-usb-steal-secrets