![]() USBferry malware using USB worm infection strategy The group achieves infection by employing the USB worm infection strategy and ferrying a malware installer via USB into an air-gapped host machine.įigure 5. In our technical brief, we broke down how Tropic Trooper has changed the way it uses the abovementioned USBferry versions in attacks. USBferry malware’s third version becomes resident in memory How USBferry targets air-gapped systems The third version retains the previous versions’ capabilities and improves its stealth in the target environment by residing in the rundll32.exe memory.įigure 4.USBferry malware’s second version combined into one file This version also changes the malware location and its name to UF, an abbreviation for USBferry.įigure 3. The second version has the same capabilities as the first and combines components into one executable.USBferry malware’s first version, where the EXE file is the USBferry malware and the DLL file is trojan TROJ_YAHOYAH The activities vary in target environments some execute commands, source target files or folder lists, and copy files from physically isolated hosts to compromised hosts, among other things.įigure 2. The malware tries to check if the target machine has a USB plug-in and copies the USBferry installer into the USB storage. The first version has a small component of TROJ_YAHOYAH.Here are the noteworthy points we gathered during analysis: For one thing, the USBferry malware already has at least three versions, with different variants and components, at the time of writing. We looked into it further and discovered many versions of it, including several program database (PDB) strings. We first encountered the malware from a PricewaterhouseCoopers report that mentioned a sample related to Tropic Trooper but did not include a detailed analysis. Further details, including indicators of compromise (IoCs), can be read in the technical brief. This blog post provides an overview of the USB malware called USBferry and its capabilities, as well as the other tools used to infiltrate physically isolated environments. For instance, we observed Tropic Trooper move from a military hospital to the military’s physically isolated network. The group then targets potentially unsecured related organizations that could serve as jumping-off points for attacks. Tropic Trooper is well aware that military or government organizations may have more robust security in their physically isolated environments (i.e., the use of biometrics or USB use in a quarantined machine before an air-gapped environment). We found the group was focused on stealing defense-, ocean-, and ship-related documents from target networks, which led us to believe that Tropic Trooper’s main purpose is to exfiltrate confidential information or intelligence.įigure 1. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.īased on data from the Trend Micro™ Smart Protection Network™ security infrastructure, USBferry attacks have been active since 2014. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. ![]() We found that Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such as fine-tuning tools with new behaviors and going mobile with surveillanceware. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities. Tropic Trooper, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |