Sednit uses USB-spreading malware to attack computers outside the Internet

Next story

ESET® researchers in Montreal have uncovered another activity of the Sednit cyber-espionage group that allows them to attack physically isolated computers. A month after ESET researchers informed on WeLiveSecurity.com about Sednit using custom exploit kits to attack various institution in Eastern Europe, they warn about Win32/USBStealer, a tool that enables the cyber-criminals to attack computers outside the Internet using removable media. Detailed blog post on USBStealer is available on ESET’s WeLiveSecurity.com.
ESET detect this tool as Win32/USBStealer, attacking physically isolated PCs or so called ‘air-gapped’ computers to gain access to specific files. According to ESET researchers, Sednit has been using this tool for almost ten years with various degrees of complexity.
Infection is transferred from initial computer (Computer A) with the Internet connection to the target Computer B using USB device.

“Computer A is initially infected with the Win32/USBStealer dropper and it tries to mimic a legitimate Russian program called USB Disk Security, to monitor insertion of removable drives, “ explains Joan Calvet in his blog post on WeLiveSecurity.com.


When USB drive is inserted, dropper decrypts two of its resources in memory. The first one drops the program Win32/USBStealer onto the removable drive under the name “USBGuard.exe”. The second resource is an AUTORUN.INF file which, after the infected USB is inserted into target computer with enabled AutoRun, allows Win32/USBStealer to installs itself and executes different steps to gaining access to specific files from Computer B placed in “air-gapped” network.

“The names of the searched files by the automatic extraction procedure indicate very precise knowledge of the targets,” adds Joan Calvet.


In the last period, the Sednit cyber-espionage group has been responsible for several pieces of cyber-espionage acts. Last month ESET discovered that the Sednit group was performing watering-hole attacks using a custom-built exploit kit, only three weeks ago both Trend Micro: Operation Pawn Storm and FireEye: APT28 published their reports – signaling increasing activity of this group in region of Easter Europe.
The latest findings of ESET researchers on USBStealer is available on WeLiveSecurity.com.


About ESET

Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedInFacebook and Twitter.