Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware

2023-07-17 10:55

Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023,.

SOGU is the "Most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals," the Google-owned threat intelligence firm said.

Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S. The infection chain detailed by Mandiant exhibits tactical commonalities with another campaign detailed by Check Point, which took the wraps off a strain of self-propagating malware called WispRider that spreads through compromised USB drives and potentially breach air-gapped systems.

It all starts with a malicious USB flash drive plugged into a computer, leading to the execution of PlugX, which then decrypts and launches a C-based backdoor called SOGU that exfiltrates files of interest, keystrokes, and screenshots.

The second cluster to leverage the USB infiltration mechanism is UNC4698, which has singled out oil and gas organizations in Asia to deliver the SNOWYDRIVE malware to execute arbitrary payloads on the hacked systems.

"Organizations should prioritize implementing restrictions on access to external devices such as USB drives," the researchers said.

News URL

https://thehackernews.com/2023/07/malicious-usb-drives-targetinging.html

#malware #USB