Security researchers have discovered USB-based Sogu spyware spreading across European and US companies’ African operations.
For much of the cybersecurity industry, malware spread via USB drives represents the singular hacker threat of the past decade or the decade before that. But a group of China-backed spies appear to have discovered that global organizations with employees in the developing world are still stuck in a technological past, where thumb drives spread like business cards and Internet cafes are far from dead. Over the past year, espionage-focused hackers have exploited this geographical time warp to bring retro USB malware back to dozens of victims’ networks.
Speaking at the mWise security conference today, researchers from cybersecurity firm Mandiant revealed that since the beginning of last year, a China-linked hacking group UNC53 has successfully compromised at least 29 organizations around the world using old-fashioned deception methods, infecting their employees. Malware plugs a USB drive into a computer on its network. While the victims are spread across the United States, Europe and Asia, Mandiant said many of the infections appear to have originated from the multinational organization’s operations in Africa, including Egypt, Zimbabwe, Tanzania, Kenya, Ghana and Madagascar. In some cases, the malware (which is actually several variants of a more than decade-old strain called Sogu) appears to be spread indiscriminately via USB flash drives from shared computers in print shops and internet cafes to infect computers in a wide data dragnet.
Mandiant researchers say the campaign represents a surprisingly effective resurgence in thumb drive-based hacking, which has largely been replaced by more modern techniques such as phishing and remote exploitation of software vulnerabilities. “USB infections are back,” said Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an organization may be headquartered in Europe, but they have remote workers all over the world such as Africa. In many cases, places like Ghana or Zimbabwe are infected by these USB-based intrusions point.”
The malware discovered by Mandiant is known as Sogu, sometimes referred to as Korplug or PlugX, and has been used in non-USB forms by a large number of mainly China-based hacking groups for more than a decade. For example, the remote access Trojan was present in China’s infamous 2015 breach of the U.S. Office of Personnel Management, and the Cybersecurity and Infrastructure Security Agency warned that the Trojan was used again in a massive espionage campaign in 2017. In 2022, Mandiant began seeing new versions of the Trojan pop up repeatedly in incident response investigations, and each time the vulnerabilities were traced to Sogu-infected USB thumb drives.
Since then, Mandiant has seen USB hacking campaigns escalate, infecting new victims this month across consulting, marketing, engineering, construction, mining, education, banking and pharmaceuticals, and government agencies. Mandiant found that in many cases, infections were picked up from shared computers in internet cafes or print shops and spread from machines such as the public internet access terminals at Robert Mugabe Airport in Harare, Zimbabwe. “This is an interesting case if the intended point of infection for UNC53 is where people are traveling across Africa and potentially even spreading the infection internationally outside of Africa,” said Mandiant researcher Ray Leong.
Leong noted that Mandiant could not determine whether any such location was an intentional site of infection or “just another stop as the activity spreads throughout a given region.” It was unclear whether the hackers were trying to use access to a multinational company’s operations in Africa to attack the company’s operations in Europe or the United States. In at least some cases, spies appear to be focused on African operations themselves, given China’s strategic and economic interests on the continent.
The new Sogu campaign’s method of spreading USB infections appears to be a particularly indiscriminate form of espionage. But McKeague and Leong said that, like the software supply chain attacks or watering hole attacks that China’s state-sponsored spies have repeatedly carried out, this approach could allow hackers to cast a wide net and filter out specific high-profile victims. value goals. . They also believe this means the hackers behind the campaign likely have significant manpower to “sort and triage” the data they steal from victims to find useful intelligence.
The Sogu USB malware uses a series of simple but clever tricks to infect a machine and steal its data, including in some cases even accessing “air-gapped” computers that don’t have an internet connection. When an infected USB drive is plugged into the system, it does not autorun as most modern Windows computers disable autorun for USB devices by default. Instead, it attempts to trick the user into running the executable file on the drive by naming the file after the drive itself, or if the drive has no name, the more generic “removable media”, a ruse designed to trick the user into unthinkingly Click on the file when they try to open the drive. The Sogu malware then copies itself to a hidden folder on your computer.
On a regular internet-connected computer, the malware sends a beacon to a command and control server and then starts accepting commands to search for the victim computer or upload its data to that remote server. It will also copy itself to any other USB drive plugged into the PC to continue its machine-to-machine propagation. If a variant of the Sogu USB malware finds itself on an air-gapped computer, it first attempts to turn on the victim’s Wi-Fi adapter and connect to the local network. If it fails, it places the stolen data into a folder on the infected USB drive itself, where it is stored until it is plugged into an internet-connected computer, where the stolen data can be sent to the command and Control server.
Sogu’s focus on espionage and the relatively high number of USB-based infections is unusual for 2023. Its USB spread is more reminiscent of tools like the NSA-created Flame malware, which was discovered targeting air-gapped systems in 2012, or even the Russian Agent.btz malware discovered within Pentagon networks in 2008.
Surprisingly, however, researchers say the Sogu campaign is just part of a broader USB malware resurgence that Mandiant has uncovered in recent years. For example, in 2022, they saw a significant increase in infections with a cybercrime-focused USB malware called Raspberry Robin. Just this year, they discovered that another USB-based spy malware called Snowydrive was used in seven network intrusions.
All this means, according to McKeague and Leong, that network defenders shouldn’t fool themselves into thinking USB infections are a solved problem, especially in global networks that include those operating in developing countries. They should be aware that state-sponsored hackers are conducting active espionage campaigns through these USB sticks. “In North America and Europe, we think this is an ancient infection vector that has been locked down,” Leong said. “But exposures in other areas have been targeted as well. It’s still relevant and it’s still being exploited.”