Scribd
Upload
78 views2 pages

APT X - USBFerry

APT X is a threat actor group targeting air-gapped networks in Taiwan and the Philippines, primarily for information theft and espionage. They utilize a USB malware called USBferry to exfiltrate data from military and government organizations by exploiting vulnerabilities in physically isolated systems. The malware has evolved through several versions since 2014, employing sophisticated techniques to maintain stealth and execute commands on compromised hosts.

Uploaded by

16008119051
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
78 views2 pages

APT X - USBFerry

APT X is a threat actor group targeting air-gapped networks in Taiwan and the Philippines, primarily for information theft and espionage. They utilize a USB malware called USBferry to exfiltrate data from military and government organizations by exploiting vulnerabilities in physically isolated systems. The malware has evolved through several versions since 2014, employing sophisticated techniques to maintain stealth and execute commands on compromised hosts.

Uploaded by

16008119051
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

APT X’s USBferry Targets Air-Gapped Networks

APT X, a threat actor group that targets that APT X’s main purpose is to exfiltrate

government, military, healthcare, transportation, confidential information or intelligence.

and high-tech industries in Taiwan, the


Philippines, and Hong Kong, has been active
since 2011. The group was reportedly using
spear-phishing emails with weaponized
attachments to exploit known vulnerabilities.
Primarily motivated by information theft and
espionage, the group has also been seen
adopting different strategies such as fine-tuning
tools with new behaviors and going mobile with
surveillanceware. Figure 1: A sample scenario of the USBferry attack

We found that APT X’s latest activities center on APT X is well aware that military or government
targeting Taiwanese and the Philippine military’s organizations may have more robust security in
physically isolated networks through a USBferry their physically isolated environments (i.e., the
attack (the name derived from a sample found in use of biometrics or USB use in a quarantined
a related research). We also observed targets machine before an air-gapped environment).
among military/navy agencies, government The group then targets potentially unsecured
institutions, military hospitals, and even a related organizations that could serve as
national bank. The group employs USBferry, a jumping-off points for attacks. For instance, we
USB malware that performs different commands observed APT X move from a military hospital to
on specific targets, maintains stealth in the military’s physically isolated network.
environments, and steals critical data through
USB storage. We started tracking this particular A USB malware called USBferry
campaign in 2018, and our analysis shows that it
We first encountered the malware from a
uses a fake executable decoy and a USB trojan
PricewaterhouseCoopers report that mentioned
strategy to steal information.
a sample related to APT X but did not include a

Based on data from the Trend Micro™ Smart detailed analysis. We looked into it further and

Protection Network™ security infrastructure, discovered many versions of it, including several

USBferry attacks have been active since 2014. program database (PDB) strings. For one thing,

We found the group was focused on stealing the USBferry malware already has at least three

defense-, ocean-, and ship-related documents versions, with different variants and

from target networks, which led us to believe components, at the time of writing. Here are the
noteworthy points we gathered during analysis:
● The first version has a small component of How USBferry targets
TROJ_YAHOYAH. The malware tries to air-gapped systems
check if the target machine has a USB
plug-in and copies the USBferry installer into APT X has changed the way it uses the

the USB storage. The activities vary in target abovementioned USBferry versions in attacks. The

environments; some execute commands, group achieves infection by employing the USB worm

source target files or folder lists, and copy infection strategy and ferrying a malware installer via

files from physically isolated hosts to USB into an air-gapped host machine.

compromised hosts, among other things.


● The second version has the same
capabilities as the first and combines
components into one executable. This
version also changes the malware location
and its name to UF, an abbreviation for
USBferry.
● The third version retains the previous
versions’ capabilities and improves its stealth
in the target environment by residing in the
rundll32.exe memory.
Figure 3. USBferry malware using USB worm infection
strategy

The notable changes in the group’s latest attack chain


that uses version UF1.0 20160226 (detected by Trend
Micro as TROJ_USBLODR.ZAHB-A) are as follows:
1. The decoy file first drops a flash_en.inf DLL
file, which is a USBferry loader, and tries to
load the encrypted USBferry malware.
2. The encrypted USBferry malware is
embedded in the loader resource section,
and the loader drops it into the
C:\Users\Public\Documents\Flash folder and
names it flash.dat.
3. After the encrypted payload is loaded, the
loader injects a malicious DLL into
Figure 2: USBferry malware’s first version, where
rundll32.exe. The USBferry malware also
the EXE file is the USBferry malware and the DLL
loads a C&C configuration file and
file is trojan TROJ_YAHOYAH
flash_en.dat, which is also located in the
C:\Users\Public\Documents\Flash.
4. The USBferry malware then tries to connect
to the download site and uses a Windows
command to collect/copy target host data.

You might also like