Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. USBStealer

USBStealer

USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]

ID: S0136
Associated Software: USB Stealer, Win32/USBStealer
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 18 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.[1]
Enterprise T1020 Automated Exfiltration

USBStealer automatically exfiltrates collected files via removable media when an infected device is connected to the second victim after receiving commands from the first victim.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

USBStealer registers itself under a Registry Run key with the name "USB Disk Security."[1]
Enterprise T1092 Communication Through Removable Media

USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1]
Enterprise T1025 Data from Removable Media

Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.[1][2]
Enterprise T1074 .001 Data Staged: Local Data Staging

USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[1][2]
Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

USBStealer exfiltrates collected files via removable media from air-gapped victims.[1]
Enterprise T1083 File and Directory Discovery

USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[1][2]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

USBStealer has several commands to delete files associated with the malware from the victim.[1]
.006 Indicator Removal on Host: Timestomp

USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

USBStealer mimics a legitimate Russian program called USB Disk Security.[1]
Enterprise T1027 Obfuscated Files or Information

Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[1]
Enterprise T1120 Peripheral Device Discovery

USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[1]
Enterprise T1091 Replication Through Removable Media

USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[3]

References

  1. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  2. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  1. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.