Malware analysis

USBCulprit malware: What it is, how it works and how to prevent it

Greg Belding
September 10, 2020 by
Greg Belding

Introduction 

Info stealers have been a part of the attacker arsenal since the early days of malware. Less common is a malware that can steal information from an air-gapped system, and even less common is an info stealer that specifically targets governments. This may sound like it was taken from a James Bond movie, but it is malware reality. 

Meet USBCulprit, an info stealer that is able to jump air gaps and steal information from any system it is connected to. This article will detail the specifics of USBCulprit and explore what it is, how it works and how to prevent it.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is USBCulprit?

USBCulprit is an info stealer that has been observed using removable devices, specifically USB flash drives, to reach air-gapped systems and exfiltrate information with its extensive tool set. While USBCulprit was only recently discovered by researchers, its code indicates that it has been worked on since 2014. 

The attack group that operates it is Cycldek, otherwise known as Goblin Panda and Conimes and known to be based out of China. This malware targets government entities: its targets so far have been the Southeast Asian nations of Vietnam, Laos and Thailand. Known by the cybersecurity community since 2013, Cycldek is known for decoy documents exploiting Microsoft Office vulnerabilities as well as its malware dropping a remote access Trojan named NewCore RAT. USBCulprit works hand-in-hand with NewCore RAT, which will be explained in more detail later.

The brunt of an attack from USBCulprit is that the malware is capable of scanning multiple paths on an infected system. It looks for the following:

  • .doc
  • .docx
  • .pdf
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .wps
  • .rtf

After one or more files with these paths are discovered, it exports what it finds to a connected USB drive. USBCulprit can also selectively copy itself to any other removable drives, allowing it to move laterally to other isolated or air-gapped systems when said USB drive is plugged into another air-gapped machine.

How USBCulprit works

The infection of air-gapped systems is the most striking of this malware’s capabilities, but it’s not where the USBCulprit infection story begins. This malware infects computers originally as malicious RTF attachments to emails of political interest that are boobytrapped with malware. When the user downloads this RTF document and the system becomes compromised, the system becomes infected with NewCore RAT.

NewCore RAT consists of two cores, RedCore and BlueCore, and both “core” components (pardon the pun) download USBCulprit. It takes root in the compromised machine as a side-loaded DLL which is implanted onto signed, legitimate applications. Once the USBCulprit infection has taken, it begins a three-stage attack:

  1. Data scanning and recon
  2. Data exfiltration
  3. Lateral movement

Data scanning and recon

In this stage, USBCulprit hides file extensions (and ensures the user cannot view hidden files) by modifying registry keys with its CUSB::RegHideExt and CUSB::RegHideFile functions. This malware then scans the compromised system to find files to steal by scanning for the list of file extensions listed above with its CUSB::USBFindFile function. 

These files are then grouped into RAR archives, encrypted and will be used in the later stages. This stage can be thought of as the information gathering phase.

Data exfiltration

Also known as the information stealing phase, here is where USB drives really come in handy for USBCulprit. It intercepts when new media becomes connected and is capable of verifying that the drive is removable. If it detects that the drive is a USB, the malware then decides whether to copy those RAR archives mentioned above to it or to use the USB drive as another source of information to steal. 

It then searches the drive for a directory called $Recyc1e.Bin. If it does not yet exist, it will create the directory. This becomes the target path for the stolen information to be stored in on the USB drive.

Lateral movement

In this last stage, USBCulprit focuses on lateral movement within the environment of the compromised machine. To do this, it looks for a marker file called 2.txt; if discovered, it will decide if lateral movement should occur or not. 

Other capabilities of USBCulprit that can aid it in lateral movement include updating itself, extending execution with the help of executing predefined files on the USB and hosting network information that is exfiltrated to attackers, along with the information to allow the operators to determine if the network the compromised machine was on was indeed isolated.

How to prevent USBCulprit

There are currently no known security programs which can block USBCulprit from stealing data. This is due to the relative newness of the malware’s discovery. The best way to prevent it is to update your organization’s standard of USB. It is also (as always) sage advice to not insert unknown USBs into your system, including that USB you found in the parking lot this week.

For those interested in the indicators of compromise for USBCulprit, they are presented below:

A9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader

C73B000313DCD2289F51B367F744DCD8 USBCulprit Loader

2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader

4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader

6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader

7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader

782FF651F34C87448E4503B5444B6164 USBCulprit Loader

88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader

A4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader

3CA7BD71B30007FC30717290BB437152 USBCulprit Payload

58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload

A02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload

D8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload

2E522CE8104C0693288C997604AE0096 USBCulprit Payload

Conclusion

The USBCulprit malware is an info stealer that is capable of using USB flash drives to circumvent network isolation in order to infect air-gapped computers. This malware has so far only targeted governments in Southeast Asia, most notably Vietnam. It steals information by scanning infected systems for certain file extensions and then exfiltrates the information it wants to a hidden directory on a connected USB drive. 

 

Sources

  1. Malware uses USBs to help steal data: report, BankInfoSecurity
  2. USBCulprit malware targets air-gapped systems to steal govt info, Bleeping Computer
  3. New USBCulprit espionage tool steals data from air-gapped computers, The Hacker News
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.