USBferry

Description

(Trend Micro) USBferry has variants that perform different commands depending on specific targets; it can also combine capabilities, improve its stealth in infected environments, and steal critical information through USB storage.

Specific functions will be embedded in the trojan downloader to adopt the target environment. Our in-depth analysis found that when Tropic Trooper first penetrates the victim’s environment, they will use basic sourcing scripts to collect the host network’s topology, connection capability, and volume information. The second function uses USB storage to copy highly classified documents from the physically isolated environment. Moreover, this function copies certain files into the USB %RECYCLER% folder, monitors files’ modified time, and updates the newest one to the USB device. The last function will infiltrate the target’s internal machine with a customized Windows command and reverse backdoor malware.

Names

Name
USBferry

Category

Malware

Type

• Reconnaissance
• Backdoor
• Info stealer
• Exfiltration

Information

• https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/
• https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf

Mitre Attack

• https://attack.mitre.org/software/S0452/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry

Other Information

Uuid

0089ab73-bdcf-4834-ba12-4eb76d2dbd25

Last Card Change

2022-12-30