Security Experts Discover Airgap-Jumping USB Trojan

Written by

Security experts are warning organizations running systems isolated from the internet to be on their guard after discovering a stealthy data-stealer run from a thumb drive which leaves no trace on a compromised computer.

Eset explained in a blog post that the “USB Thief” trojan takes advantage of the increasingly common practice of storing portable versions of popular apps like Firefox on USBs.

The malware typically hides inside a plugin or a dynamically linked library (DLL), so that when such an application is executed, it is also run in the background.

It also contains a sophisticated mechanism to protect itself from copying or reverse engineering by encrypting certain files with AES-128 and with file names generated from cryptographic elements.

The AES encryption key is tied to the particular USB the malware was loaded onto so it can’t be run from any other device, making it doubly difficult to detect or analyze.

There are three loaders, with some anti-AV checks run with the third. The final payload kick-starts the data stealing functionality, although Eset claimed that the malware could be redesigned with another payload.

Eset malware analyst, Tomáš Gardon, explained that the malware was most likely created for targeted attacks against air-gapped systems, and although the sample found is a data stealer, there could be one in the wild which has a more destructive payload designed to hit industrial control systems.

USB ports should be disabled where possible, and if that’s not possible, strict policies should be applied to their use, alongside cybersecurity training to warn staff not to insert any USB they find lying about, he advised.

Peter Stancik, ESET security evangelist, explained that USB Thief is probably “not on a par” with the most sophisticated nation state-level malware out there, “but both the mode of operation and implementation show clever tricks.”

It may have been used by a malicious insider, he told Infosecurity by email.

“However, it might also be spread through an insider whose device has been infected with USB Thief by someone else and who is ‘stealing’ the data unknowingly,” he added.

“Another option could be a dedicated dropper that could be delivered via the internet and then used to drop the USB Thief onto a USB storage when inserted. Then wait for the infected USB storage to be plugged in the targeted air-gapped system.”

What’s hot on Infosecurity Magazine?