ESET discovers new USB-based data stealing malware
March 24, 2016
Shah Sheikh (1294 articles)

ESET discovers new USB-based data stealing malware

Tomáš Gardoň, a malware analyst at ESET, explains to We Live Security why a trojan, detected by ESET as Win32/PSW.Stealer.NAI – and dubbed USB Thief – is worth knowing about.

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” Mr. Gardoň notes.

“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.

When reading about new malware, the first question that comes to mind is ‘What is the goal of its creator?’. What is your take on the USB Thief?

We can guess their intentions from the capabilities implemented in the malware. Because it is USB-based, the malware is capable of attacks on systems isolated from the internet. Another benefit of being run from a USB removable device is that it leaves no trace – victims don’t notice that their data has been stolen.

Another feature – and one that makes this malware unusual – is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn’t be duplicated or copied. This binding, combined with its sophisticated implementation of multi-staged encryption that is also bound to features of the USB device hosting it, makes it very difficult to detect and analyze.

Could you elaborate on reasons behind binding the malware to a particular device and encrypting it?

Traditionally, malware is often encrypted, and the obvious reason is that encryption prevents the malware from being detected or – if it gets detected – from being analyzed. In this case, encryption also serves the purpose of binding the malware to a particular device.


As for the reasons for binding to a particular device – this obviously makes it harder for the malware to spread but on the other hand it prevents it from leaking outside the target environment. And, given that the attack leaves no traces, the chances are that the malware won’t be spotted if kept on the USB device and wiped off the machine after completing its mission.

To sum up, to me it seems that this malware has been created for targeted attacks.

Malware capable of targeted attacks against systems isolated from the internet – it’s quite a dangerous tool, isn’t it?

Well, taking into account that organizations isolate some of their systems for a good reason … yes. Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous. More so if it is able to disappear without leaving any trace.

How can organizations prevent attacks based on such malware from succeeding?


This malware is unique because of some particular features but the defense against it still falls within the capabilities of general cybersecurity measures.

Most importantly, USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use. It’s highly desirable for staff at all levels to undergo cybersecurity training – including real-life testing – if possible …

… Not to get tricked into running the malware, right?

Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on. It can be stored as a plugin source of portable applications or just a library – DLL – used by the portable application. And therefore, whenever such an application is executed, the malware will also be run in the background.

But people should understand the risks associated with dealing with USB storage devices from sources that may not be trustworthy. Several surveys have shown that people are surprisingly likely to insert every thumb drive they may find into their computers.

Of course, other means of protecting data should be also deployed – from perimeter protection to encryption to data backup.

When we talk about air-gapped systems, these may also be industrial systems, right? This malware is not that serious of a threat to industrial systems as it is only capable of stealing data …

Well, there are many ways in which bad guys could damage a system once they get into it. And this malware’s payload can be redesigned, moving away from data stealing to any other kind of malicious action.

Mr. Gardoň has delivered a technical analysis of the trojan here.

Source | WeLiveSecurity