Malware attacks facilitated by USB drives have grown threefold during the first six months of 2023, with the Sogu and Snowydrive campaigns by Chinese cyberespionage threat operation TEMP.HEX and UNC4698, respectively, being the most notable, reports BleepingComputer.
The more aggressive of the two was the Sogu malware campaign, which has impacted organizations in the U.S., China, the U.K., and other parts of the world, most of which have been targeted at the pharmaceutical, IT, and energy sectors, according to a Mandiant report.
Attacks by TEMP.HEX have involved the Korplug payload that deploys Sogu into memory, which then scans files with valuable data, executes commands and files, captures screenshots, and conducts keylogging activities.
Meanwhile, oil and gas entities in Asia have been targeted by the Snowydrive campaign, which involved the distribution of a backdoor that enabled arbitrary payload execution via the Windows command prompt.
Once targets have been lured to launch an executable on a USB drive, Snowydrive malware components that have different roles in the attack process are then extracted and executed.
Without the need for specialized audio equipment to conduct PIXHELL, threat actors could leverage social engineering and software supply chain attacks to distribute covert data exfiltration channel-triggering malware that would create an acoustic channel for the data.
Russian state-sponsored threat group Coldriver has been suspected by the Free Russia Foundation of being behind the intrusion, which involved the targeting of several entities to exfiltrate internal documents, grant reports, and other correspondences in retaliation against pro-democracy Russians
Simultaneous target infiltration and reconnaissance, network compromise, and data exfiltration activities have been performed by Clusters Alpha, Bravo, and Charlie, respectively.