ESET researchers have identified an Infostealer Trojan that is activated via USB drive specially configured for it. The info stealer can slip past antivirus software undetected and run as a legitimate svchost process in Windows. The malware’s detections names given by ESET are Win32/PSW.Stealer.NAI for the payload and Win32/TrojanDropper.Agent.RFT for the loader. The malware has caught interest in the cyber security field, and it has been given the nickname “USB Thief”.
Technical Information on USB Thief
Similar to other information copying malware, this one has several stages by which it methodologically operates, greatsoftline.com researchers report.
→ Stage 1 Loader >Stage 2 Loader >Stage 3 Loader>Stage 4 Payload Dropper and Data Stealing
All of the first three stages are mainly oriented into the successful infection of the computer, and they take into consideration the following system information:
- Is the payload executed from the USB?(Stage 1)
- Will the user open the portable infected loader? (Stage 1)
- Will the infected file that is launched be configured to be verified successfully?(Stage 2)
- Will the gathered information be sufficient to prevent interruptions of the infection and the data-stealing process? (If yes, the the malware stops the infection process)(Stage 2)
- Is the AntVirus software on the victim PC running and does it have Real-Time protection?(Stage 3).
The fourth stage is where the actual data is being stolen. The module of this stage creates a new svchost.exe process in the following location:
The module is specifically configured to prioritize automatically which data to be stolen first and transferred to the very same drive. For starters, researchers point that the malware steals the complete HKCU registry tree data. In addition to that, it looks for images as well as documents. This is believed to be done via a free application called “WinAudit”. The files which have been successfully copied to the drive are encrypted using EC (Elliptic Curve) cypher.
How Does It Protect Itself
This malware is very carefully designed. It has executable files(modules) as well as configuration files for those executables. To prevent cyber-security engineers from researching it, a powerful AES-128 encryption algorithm on those modules has been used.
Not only this, but the names of its executables are completely random and for every malware sample which is detected, the USB Thief may have different file names. This file encryption mechanism is very familiar to CryptoWall 4.0 Ransomware which uses the same method for the files it encrypts, so similar or the same configuration may have been used here.
In addition to those protection mechanisms, the USB drive carrying the malware components is specially configured so that it allows you to run these particular modules only from this drive. This means that you cannot run the malware from other places since it is successfully executed only via its USB drive.
After successfully decrypting the AES-128 encrypted modules of the malware, researchers from GreatSoftLine have concluded that this malware uses its above-identified stages consequently, meaning that Stage 1 drops Stage 2 data and so on.
The features of this malware may not make it very widespread. But for attackers that target specific computer or a device in a Local Area Network(LAN) with a goal to steal its data, this type of attacks are very effective. For starters, many users in your local company may be the opportunity for a hacker to steal the data. Here are the risks for your local network of computers that you should think of when protecting the network:
- An inside person is applying the “hands-on” approach.
- The “dropped drive” hack. – A flash drive that seems to be forgotten or lost by someone but it was done on purpose. This is especially effective if the lost drive has information on it, like the logo of your company, for example.
- USB drives designed to look like other devices (Phone, Wireless Mouse Connector and others)
The bottom line is that there should be an extensive education of users within a network and the access to certain elements of the computer should be limited to some extent. Doing that and following the recommended security tips with the combination of a powerful anti-malware software is a good recipe for increasing overall protection significantly.