Threat Management, Threat Intelligence, Malware

Hackers weaponised secure USB drives to target air-gapped networks

A cyber-espionage group is targeting a specific type of secure USB drive created by a South Korean defence company in a bid to gain access to its air-gapped networks.

According to a blog post by researchers at Palo Alto Networks, this attack was carried out by a group called Tick which carries out cyber-espionage activities targeting organisations in Japan and Korea.

Researchers said that weaponisation of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, these networks are normally not connected to the internet.

They added that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003. This is despite the fact that the malware appears to have been created when newer versions of Windows software were available.

Researchers said that indicated that this was an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity.

The USB stick installs a program called "SymonLoader" as a trojanised version of a Japanese language GO game. It then extracts a hidden executable file from a specific type of secure USB drive and executes it on the compromised system.

According to researchers, if SymonLoader finds it is on a Windows XP or Windows Server 2003 system and finds that a newly attached device is a USB drive made by this particular company, then it will extract an unknown executable file from the USB. 

Researchers said that while the identity of the file SymonLoader writes to the USB is unknown, they added that they know enough about it to know it is malicious. 

“In contrast to HomamLoader, which requires an Internet connection to reach its C2 server to download additional payloads, SymonLoader attempts to extract and install an unknown hidden payload from a specific type of secure USB drive when it's plugged into a compromised system. This technique is uncommon and hardly reported among other attacks in the wild,” said researchers.

Javvad Malik, security advocate at AlienVault, told SC Media UK that this particular attack bears all the signs of a very specific targeted attack designed to infect particular institutes or machines - not too dissimilar to Stuxnet. 
 
“Employees that work in sensitive organisations that have air-gapped networks should be particularly vigilant against plugging in devices. In some cases, even approved USB drives should be tested in a separate environment prior to being loaded in secure areas,” he said.
 
“Prevention aside, critical systems should have threat detection controls that can alert where an infected drive has been plugged into an endpoint and take remedial steps beyond raising an alarm, such as isolating an infected machine from the rest of the network.”

Scott Walker, senior solutions engineer at Bomgar, told SC Media UK that with certain state-sponsored hacking groups' focus on the military, financial and energy sectors, it is paramount that these organisations deploy solutions that help prevent these attacks. 

“Integrating regular and up to date security training to educate employees will ensure they are aware of the most recent tactics used to target systems and what can be done to prevent these. In addition, implementing solutions to ensure that employees only have access to areas of the network and devices that their role requires can mitigate these types of attacks. This sounds simple, but in reality, it is an area often overlooked,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.