- Home
- Techniques
- Enterprise
- Exfiltration Over Physical Medium
- Exfiltration over USB
Exfiltration Over Physical Medium: Exfiltration over USB
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
Procedure Examples
Name | Description |
---|---|
Agent.btz |
Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1] |
Machete |
Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[2][3] |
Remsec |
Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[4] |
SPACESHIP |
SPACESHIP copies staged data to removable drives when they are inserted into the system.[5] |
Tropic Trooper |
Tropic Trooper has exfiltrated data using USB storage devices.[6] |
USBStealer |
USBStealer exfiltrates collected files via removable media from air-gapped victims.[7] |
Mitigations
Mitigation | Description |
---|---|
Disable or Remove Feature or Program |
Disable Autorun if it is unnecessary. [8] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [9] |
Limit Hardware Installation |
Limit the use of USB devices and removable media within a network. |
Detection
Monitor file access on removable media. Detect processes that execute when removable media are mounted.
References
- Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
- Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.