Sogu, SnowyDrive Malware Spreads, USB-Based Cyberattacks Surge

  /     /     /  
Publicated : 23/11/2024   Category : security


Sogu, SnowyDrive Malware Spreads, USB-Based Cyberattacks Surge


Two separate threat actors are using poisoned USB drives to distribute malware in cyber-espionage campaigns targeting organizations across different sectors and geographies.



Two ongoing cyber-espionage campaigns targeting organizations across multiple industries and regions demonstrate the importance for security teams of restricting access to USB drives and other external devices on employee systems.
In one of the campaigns, a China-linked threat actor tracked as TEMP.Hex is using USB flash drives to load malware for stealing sensitive information from host systems. Once on a system, the malware, dubbed Sogu, can copy itself to any removable drive thats plugged in to the infected host, thereby giving the attacker a way to spread the payload to other systems, including, potentially, air-gapped systems.
Researchers from
Mandiant recently discovered the threat
and believe that TEMP.Hex is using Sogu to collect information that has economic and national security interest to China. The security vendor has assessed the campaign as posing a threat to organizations across multiple sectors, particularly in engineering, construction, government, transportation, health, and business services.
Mandiant researchers said a threat actor that its tracking as UNC4698 is responsible for another major ongoing cyber campaign, also using infected USB drives to drop malware on victim systems. The malware in this campaign, dubbed SnowyDrive, creates a backdoor on the systems it infects, so the cyberattacker has a way to remotely interact with the device and issue commands. The organizations that are in UNC4698s crosshairs for this campaign are oil and gas organizations in Asia.
According to Mandiant, theres been a threefold increase in attacks involving USB drives in the first half of 2023, though the immediate impetus for the sudden surge remains unclear. Though incidents involving poisoned USB drives remain somewhat rare relative to other cyberattack vectors, there have been several instances where threat actors — including large professional groups — have employed the tactic.
Sogu and SnowyDrive are just two malware tools that Mandiant researchers — and others — have recently observed threat actors deploying via infected USB flash drives. In December, Mandiant reported on another China-linked threat actor, UNC4191, that was 
deploying four separate malware families
on infected systems via USB drives. The victims in that campaign included public and private sector organizations in Southeast Asia and, to a lesser extent, in the US, Europe, and the Asia-Pacific region. 
In June,
Check Point described an incident
it had recently investigated where a China-nexus threat actor dubbed
Camaro Dragon
(aka Mustang Panda) gained access to a hospital network via an infected USB drive and deployed self-propagating malware for stealing data.
And the notorious, 
financially motivated FIN7 group
(aka Carbanak) last year
 attracted the FBIs attention
 when it sent ransomware-loaded USBs — disguised to appear like they were from the US Department of Health and Human Services — to targets in the US defense, transportation, and other sectors.
Organizations should prioritize implementing restrictions on access to external devices such as USB drivers, Mandiant researchers Rommel Joven and NG Choon Kiat wrote in the recent post. If this is not possible, they should at least scan these devices for malicious files or code before connecting them to their internal networks.
Like all USB-based attacks, the Sogu and SnowyDrive campaigns depend on users picking up a rogue USB, inserting it into their system, and following through on subsequent prompts. Mandiants report identified hotels and local print shops as potential hotspots for infection, where targets might be on business trips and less vigilant about security.
With the Sogu campaign, the weaponized USB flash drive initially loads three files when a user inserts the device into a host system: a legitimate executable, a malicious dynamic link library (DLL) loader, and an encrypted payload. When executed, the legitimate executable — typically, security software such as Symantec or Avast — sideloads Korplug, a malicious DLL file, which then decrypts and loads the Sogu backdoor in memory. Subsequent steps in the infection chain include the malware gathering specific system metadata, searching the C drive for files with .docx, .doc, .ppt, .pdf, and other extensions. The malware also executes separate steps to stage all the information that it retrieves, exfiltrate the data, and finally to maintain it presence on an infected system.
The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its command-and-control server, Mandiant said. The malware was also found to support a wide range of commands, including file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging.
With SnowyDrive, after the USB is inserted into a system, the user has to click on a malicious executable that is spoofed to look like a legitimate file. The executable serves as a dropper that writes multiple encrypted malicious files to disk, each of which contain executables and DLLs. One of them is SnowyDrive, a shellcode-based backdoor that contains a long list of commands. These include commands to create, write, or delete files; initial file uploads; create cmd.exe reverse shell; list drives; and start file/directory search. The malware communicates with a command-and-control server whose domain is hard coded into the shellcode.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Sogu, SnowyDrive Malware Spreads, USB-Based Cyberattacks Surge