USB Thief, the new USB-based data stealing Trojan

USB Thief, the new USB-based data-stealing Trojan discovered by ESET that relies on USB devices in order to spread itself and infect also air-gapped systems

Security researchers at ESET have discovered a new insidious data-stealer, dubbed USB Thief (Win32/PSW.Stealer.NAI), that relies on USB devices in order to spread itself.

USB Thief is able to infect air-gapped or isolated systems does not leave any trace of activity on the infected systems.

Malware authors have implemented special techniques mechanisms to protect USB Thief from being detected and analyzed. The authors also implemented an advanced multi-staged encryption process to protect the Trojan.

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” wrote Tomáš Gardoň, a malware analyst at ESET.

“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.

The USB Thief Trojan malware can be stored either as a Dynamically Linked Library (DLL) used by the portable applications or as a portable application’s plugin source.

Mobile devices are usually used to store portable version of common applications like Firefox, TrueCrypt, and Notepad++. When victims launch the portable application the USB Thief runs in the background.

“Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on.” continues the post.

The malware completely resides on the USB device, it doesn’t leave any trace of its presence. According to the experts at the ESET any tool that could be used to breach an air-gapped network must be taken into account.

“Well, taking into account that organizations isolate some of their systems for a good reason,” said Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.” “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.”

How can organizations prevent attacks based on USB Thief from succeeding?

Do not use USB storage devices from sources that may not be trustworthy.
Disable USB ports wherever possible.
Define strict policies to enforce care in the use of USB devices.
Train the staff on cyber threats.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – USB Thief, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.