Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. USBferry

USBferry

USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]

ID: S0452
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 20 May 2020
Last Modified: 16 June 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

USBferry can use net user to gather information about local accounts.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

USBferry can execute various Windows commands.[1]

Enterprise T1005 Data from Local System

USBferry can collect information from an air-gapped host machine.[1]

Enterprise T1083 File and Directory Discovery

USBferry can detect the victim's file or folder list.[1]

Enterprise T1120 Peripheral Device Discovery

USBferry can check for connected USB devices.[1]
Enterprise T1057 Process Discovery

USBferry can use tasklist to gather information about the process running on the infected system.[1]

Enterprise T1018 Remote System Discovery

USBferry can use net view to gather information about remote systems.[1]
Enterprise T1091 Replication Through Removable Media

USBferry can copy its installer to attached USB storage devices.[1]
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

USBferry can execute rundll32.exe in memory to avoid detection.[1]

Enterprise T1016 System Network Configuration Discovery

USBferry can detect the infected machine's network topology using ipconfig and arp.[1]

Enterprise T1049 System Network Connections Discovery

USBferry can use netstat and nbtstat to detect active network connections.[1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper

[1]

References

  1. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.