HQ/EMEAFind out how we can help your business
A new cybercriminal operation that spreads the SOGU malware uses compromised flash drives to infect targets and steal critical information. Bad USB drives continue to be a trend among cybercriminals and wannabe hackers to distribute malware.
Based on reports, several malware operations utilise such a strategy to steal information during the first half of this year. Moreover, these campaigns overlap in terms of executing their tactics.
One bad USB campaign that deployed the SOGU malware came from a China-backed threat group.
According to investigations, the Chinese cyberespionage group, TEMP[.]Hex has utilised the malicious USB to deploy the SOGU malware against the public and private sectors in the United States, Asia, and Europe.
The hostile flash drive includes multiple malicious software solutions and adopts a DLL hijacking technique to download the final payload in the memory of infected systems.
Next, the SOGU malware conducts reverse shell, record keystrokes, capture screenshots, and establish remote desktop connections for the execution of additional file once executed. The threat actors will then exfiltrate the stolen information through a custom binary protocol over TCP, UDP, or ICMP to the command-and-control server.
This operation targets various industries, including engineering, government, retail, pharmaceutical, media, construction, and manufacturing.
Another malicious campaign called SNOWYDRIVE employs the same compromised USB tactic. However, the threat actors lure the victim into clicking a root folder in the USB drive.
The infection chain will start upon file execution. This sequence will cause the downloading of shellcode-based malware called SNOWYDRIVE.
The malware copies itself to removable drives attached to a compromised system, running operations like starting file upload, writing or deleting files, and executing a reverse shell command.
Cybersecurity experts urge organisations to prioritise access restrictions on USB devices or conduct thorough scans for malicious archives before linking them to other networks. Furthermore, organisations must have greater visibility into such cybercriminal campaigns to mitigate threats at the initial stage.
Everyone could achieve high-quality defences against such attacks by employing a robust and automated TIP that ensures real-time tactical and technical details of an attack.
