Sign up to our newsletter
The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks — “air-gapped” networks — and exfiltrate sensitive files from them through removable drives.
Last month ESET discovered that the Sednit group was performing watering-hole attacks using a custom-built exploit kit. Over the last few weeks several pieces of intelligence have been shared on this group, including the Operation Pawn Storm report from Trend Micro and the APT28 report from FireEye.
In this blog post, we are sharing knowledge of a tool employed to extract sensitive information from air-gapped networks. ESET detects it as Win32/USBStealer.
We believe the Sednit group has been using this tool at least since 2005, and is still using it today against their usual types of target, namely governmental institutions in Eastern Europe. Several versions of the tool have been employed over the past few years, with various degrees of complexity.
A common security measure for sensitive computer networks is to have them totally isolated from the outside world via an “air gap”. As the name implies, these networks do not possess any direct, outside connections to the Internet.
However, the use of removable drives can create paths to the outside world. This is particularly true when the same removable drive is repeatedly plugged into both Internet-connected machines and air-gapped machines, such as when transferring files.
This is the scenario that is exploited by Win32/USBStealer in order to reach air-gapped networks. The following image presents a high-level overview of this strategy in the simple case of just two computers. Computer A is connected to the Internet and is initially infected with the Win32/USBStealer dropper, whereas Computer B is physically isolated and becomes infected with Win32/USBStealer during the attack.
In this scenario a same removable drive goes back and forth between the Internet-connected Computer A and the air-gapped Computer B. We are now going to explain each step of this attack in more detail. We focus here on the most complex version of Win32/USBStealer observed.
Computer A is initially infected with the Win32/USBStealer dropper, detected as Win32/USBStealer.D by ESET. The dropper file name is USBSRService.exe, and it tries to mimic a legitimate Russian program called USB Disk Security, as shown below.
The main logic of the dropper is as follows:
shell\open\command=”System Volume Information\USBGuard.exe” install
Overall, the dropper takes great care not to attract attention. For example, both the AUTORUN.INF and USBGuard.exe files have their last-access and last-write timestamps set to those of a standard Windows library chosen on the system. Also, the two decrypted resources are immediately re-encrypted in memory after having been dropped on the removable drive. Finally, all dropped files are set with hidden and system file attributes, to help ensure that they will remain undetected by casual users.
When the USB drive is inserted in Computer B, which has AutoRun enabled, Win32/USBStealer installs itself. It then enumerates all drives connected to the machine and, depending on the drive’s type, it executes a different logic:
Computer B also keeps track of the drive locally by recording its hardware ID. Thus even if desktop.in is removed by the user from the drive, Computer B will remember that this drive can be used as a path to the outside.
The purpose of this step is to group interesting files from all these drives in the same local directory. The actual exfiltration will happen the next time the “marked” removable drive gets inserted into Computer B. “Interesting files” are here defined as:
|*||List 1||List 2|
|Possible period of use||2005||2011-2014|
|File names searched for||Win32Negah.dll|
The possible period of use corresponds to the compilation timestamps of the files containing these lists.
We found very few references for most of these file names on Internet, probably because they belong to private software. Interestingly, Talgar (from “talgar.exe”) is a town in the Almaty Province of southeastern Kazakhstan.
The malware searches for these files everywhere on the machine, except in folders matching the following antivirus names: Symantec, Norton, McAfee, ESET Smart Security, AVG9, Kaspersky Lab and Doctor Web.
The malware operators collect the computer name that has been registered by Computer B from the drive. As the dropper running on Computer A does not implement anything more than we previously described, the operators should have another malicious component running on Computer A in order to achieve that step.
Then, the operators drop commands for Computer B onto the removable drive, in an encrypted file named “COMPUTER_NAME.in”.
When the removable drive comes back in Computer B, Win32/USBStealer drops onto it the files grouped during the automatic exfiltration procedure described in step 2, above. The next time the removable drive gets connected to Computer A, the operators will be able to grab these “air-gapped” files.
Win32/USBStealer then decrypts the command files dropped by the operators for Computer B. It gives a series of commands that will be executed consecutively. Each command is a two-byte number followed by parameter.
|0x0001||Windows path||Copies files matching the path to the removable drive|
|0x0002||Root = Path = Day||Copies files whose path matches “Root \Path*” to the removable drive, but only if they have been modified less than Day days ago|
|0x0003||Root = Path = Day||Same as command 0x0002, but the parameter is also written in the startup monitoring file (see paragraph below)|
|0x0004||Should be set to “!”||Launch the automatic exfiltration function (see step 2) on all connected drives|
|0x0005||None||Removes startup monitoring file (see paragraph below)|
|0x0006||Windows path||Executes a copy of the file pointed by the parameter under the name “taskrel.exe”|
|0x0007||None||Removes file named “taskrel.exe”|
|0x0008||Root = Path = Day||Writes filenames matching “Root \Path*” to the removable drive, but only if they have been modified less than Day days ago, in a file named “inres.in”|
|0x0009||None||Removes file named “inres.in”|
Commands 0x0003 and 0x0005 refer to the startup monitoring file, which is a file stored locally on Computer B containing file patterns in the format “Root = Path = Day”. Each time the machine boots up, command 0x0002 will be executed on these patterns. This allows long-term monitoring for files of interest.
Command 0x0008 serves as a means of discovering possibly interesting files. We can speculate that operators start with command 0x0008, and then run commands 0x0002 or 0x0003 to collect files of possible interest.
For all commands that copy files to removable drives there is a fallback mechanism. In case the copy fails, for example because write access to the drive is not granted, the files will be grouped in a local directory instead. They will be copied onto the next Internet-capable drive that gets connected to the machine.
Win32/USBStealer shows the high level of determination of its operators, the Sednit group. Here are some surprising things discovered during the investigation:
Some open questions remain; for example it is currently unclear how the initial infection occurred. We can speculate that the classic spear-phishing technique has been used. It should be noted that the recent FireEye report on this group reports a spear phishing campaign using the topic “USB Disk Security is the best software to block threats that can damage your PC or compromise your personal information via USB storage.”
In the attack scenario we described, Computer A has to be already controlled by the miscreants. The Win32/USBStealer dropper does not have the ability to communicate over Internet, so we can speculate there are other malicious components running on this machine.
|SHA1||Purpose||ESET Detection Name|
Author Joan Calvet, ESET