research-article

USBCulprit: USB-borne Air-Gap Malware

Author:

Mordechai GuriAuthors Info & Claims

EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

Pages 7 - 13

https://doi.org/10.1145/3487405.3487412

Published: 22 November 2021 Publication History

Abstract

Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs.

References

[1]

[n.d.]. Agent.BTZ - Wikipedia. https://en.wikipedia.org/wiki/Agent.BTZ. (Accessed on 29/08/2021).

[2]

[n.d.]. Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers. https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Raggi-Saad.pdf. (Accessed on 10/11/2020).

[3]

[n.d.]. Cycldek: Bridging the (air) gap | Securelist. https://securelist.com/cycldek-bridging-the-air-gap/97157/. (Accessed on 04/25/2021).

[4]

[n.d.]. Data Diodes - Unidirectional Data Flow Control | Nexor Diode. https://www.nexor.com/nexor-data-diode/. (Accessed on 29/08/2021).

[5]

[n.d.]. Goblin Panda Adversary | Threat Actor Profile | CrowdStrike. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/. (Accessed on 10/11/2020).

[6]

[n.d.]. Guaranteed Architecture for Physical Security. https://www.darpa.mil/program/guaranteed-architecture-for-physical-security. (Accessed on 08/16/2021).

[7]

[n.d.]. Intelligence communications systems migrate worldwide > U.S. Air Force > Article Display. https://www.af.mil/News/Article-Display/Article/1143703/intelligence-communications-systems-migrate-worldwide/. (Accessed on 09/26/2021).

[8]

[n.d.]. Microsoft Security Shocker As 250 Million Customer Records Exposed Online. https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/3f587c84d1b3. (Accessed on 10/11/2020).

[9]

[n.d.]. More on Air Gaps | Nexor. https://www.nexor.com/more-on-air-gaps/. (Accessed on 29/08/2021).

[10]

[n.d.]. Network Air Locks, not Air Gaps, to Preserve LAN Security. https://cisse.info/pdf/stats/23rd/download.php?file=CISSE_v07_i01_p02_pre.pdf. (Accessed on 09/26/2021).

[11]

[n.d.]. Rehashed RAT Used in APT Campaign Against Vietnamese Organizations. https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations. (Accessed on 04/25/2021).

[12]

[n.d.]. Rehashed RAT Used in APT Campaign Against Vietnamese Organizations. https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations. (Accessed on 10/11/2020).

[13]

[n.d.]. Russian state hackers appear to have breached a federal agency. https://finance.yahoo.com/news/russia-fancy-bear-reportedly-hacked-us-agency-213304085.html?guccounter=1. (Accessed on 29/08/2021).

[14]

[n.d.]. USB attacks: Big threats to ICS from small devices. https://searchsecurity.techtarget.com/feature/USB-attacks-Big-threats-to-ICS-from-small-devices. (Accessed on 08/07/2021).

[15]

[n.d.]. USB Cable Lock and Seal | PadJack Port & Cable Physical Network Security. https://www.padjack.com/usb-cable-lock-seal/. (Accessed on 04/26/2021).

[16]

[n.d.]. Virus Bulletin :: Curious tale of 8.t used by multiple campaigns against South Asia. https://www.virusbulletin.com/conference/vb2019/abstracts/curious-tale-8t-used-multiple-campaigns-against-south-asia/. (Accessed on 04/25/2021).

[17]

RJ Anderson. 2008. Emission security. Security Engineering,(2008), 523–546.

[18]

Andy Davis. 2011. USB-undermining security barriers. Black Hat Briefings (2011).

[19]

Mordechai Guri. 2020. CD-LEAK: Leaking Secrets from Audioless Air-Gapped Computers Using Covert Acoustic Signals from CD/DVD Drives. In 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC). IEEE, 808–816.

[20]

Mordechai Guri. 2021. Exfiltrating data from air-gapped computers via ViBrAtIoNs. Future Generation Computer Systems(2021).

[21]

Mordechai Guri. 2021. LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables Emission. In 2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC). IEEE, 745–754.

[22]

Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici. 2015. GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies. In USENIX Security Symposium. 849–864.

[23]

Mordechai Guri, Matan Monitz, and Yuval Elovici. 2016. USBee: Air-gap covert-channel via electromagnetic emission from USB. In Privacy, Security and Trust (PST), 2016 14th Annual Conference on. IEEE, 264–268.

[24]

Mordechai Guri, Matan Monitz, Yisroel Mirski, and Yuval Elovici. 2015. Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In Computer Security Foundations Symposium (CSF), 2015 IEEE 28th. IEEE, 276–289.

Digital Library

[25]

Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. 2017. Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise (DiskFiltration). In European Symposium on Research in Computer Security. Springer, 98–115.

[26]

Mordechai Guri, Yosef Solewicz, and Yuval Elovici. 2020. Fansmitter: Acoustic Data Exfiltration from Air-Gapped Computers via Fans Noise. Computers & Security(2020), 101721.

[27]

Mordechai Guri, Boris Zadov, Dima Bykhovsky, and Yuval Elovici. 2019. CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs. In 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), Vol. 1. IEEE, 801–810.

[28]

Mordechai Guri, Boris Zadov, Dima Bykhovsky, and Yuval Elovici. 2019. PowerHammer: Exfiltrating data from air-gapped computers through power lines. IEEE Transactions on Information Forensics and Security (2019).

[29]

Mordechai Guri, Boris Zadov, and Yuval Elovici. 2017. LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED. Springer International Publishing, Cham, 161–184.

[30]

Mordechai Guri, Boris Zadov, and Yuval Elovici. 2019. Odini: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields. IEEE Transactions on Information Forensics and Security 15 (2019), 1190–1203.

[31]

Michael Hanspach and Michael Goetz. 2014. On covert acoustical mesh networks in air. arXiv preprint arXiv:1406.1213(2014).

[32]

Myung Kang and Hossein Saiedian. 2017. USBWall: A novel security mechanism to protect against maliciously reprogrammed USB devices. Information Security Journal: A Global Perspective 26, 4(2017), 166–185.

Digital Library

[33]

David Kushner. 2013. The real story of stuxnet. ieee Spectrum 3, 50 (2013), 48–53.

[34]

Kyung-bok Lee and Jong-in Lim. 2016. The Reality and Response of Cyber Threats to Critical Infrastructure: A Case Study of the Cyber-terror Attack on the Korea Hydro & Nuclear Power Co., Ltd.KSII Transactions on Internet and Information Systems (TIIS) 10, 2(2016), 857–880.

[35]

Sebastian Poeplau and Jan Gassen. 2012. A honeypot for arbitrary malware on USB storage devices. In 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS). IEEE, 1–8.

Digital Library

[36]

Seungwon Shin and Guofei Gu. 2010. Conficker and beyond: a large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference. 151–160.

Digital Library

[37]

Dave Jing Tian, Adam Bates, and Kevin Butler. 2015. Defending against malicious USB firmware with GoodUSB. In Proceedings of the 31st Annual Computer Security Applications Conference. 261–270.

Digital Library

[38]

Dave Jing Tian, Nolen Scaife, Adam Bates, Kevin Butler, and Patrick Traynor. 2016. Making USB great again with USBFILTER. In USENIX Security Symposium.

[39]

Jing Tian, Nolen Scaife, Deepak Kumar, Michael Bailey, Adam Bates, and Kevin Butler. 2018. SoK:” Plug & Pray” Today–Understanding USB Insecurity in Versions 1 Through C. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 1032–1047.

Cited By

Guri M(2024)Air-Gap Electromagnetic Covert ChannelIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330003521:4(2127-2144)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3300035
Guri M(2024)PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via ‘Singing Pixels’2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00134(976-987)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00134
Aslani BMohebbi SOughton E(2024)A systematic review of optimization methods for recovery planning in cyber–physical infrastructure networks: Current state and future trendsComputers & Industrial Engineering10.1016/j.cie.2024.110224192(110224)Online publication date: Jun-2024
https://doi.org/10.1016/j.cie.2024.110224
Show More Cited By

Index Terms

USBCulprit: USB-borne Air-Gap Malware
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments
EICC '23: Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference

Many modern malware employs runtime anti-forensic techniques in order to evade detection. Anti-forensic tactics can be categorized as anti-virtualization (anti-VM), anti-debugging, anti-sandbox, and anti forensic-tools. The detection of such malware is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

November 2021

97 pages

ISBN:9781450390491

DOI:10.1145/3487405

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EICC '21

EICC '21: European Interdisciplinary Cybersecurity Conference

November 10 - 11, 2021

Virtual Event, Romania

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
219
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)6

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Guri M(2024)Air-Gap Electromagnetic Covert ChannelIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330003521:4(2127-2144)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3300035
Guri M(2024)PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via ‘Singing Pixels’2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00134(976-987)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00134
Aslani BMohebbi SOughton E(2024)A systematic review of optimization methods for recovery planning in cyber–physical infrastructure networks: Current state and future trendsComputers & Industrial Engineering10.1016/j.cie.2024.110224192(110224)Online publication date: Jun-2024
https://doi.org/10.1016/j.cie.2024.110224
Guri M(2023)AIR-FI: Leaking Data From Air-Gapped Computers Using Wi-Fi FrequenciesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.318662720:3(2547-2564)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3186627
Guri M(2022)Near Field Air-Gap Covert Channel Attack2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00074(490-497)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00074
Guri M(2022)SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables2022 19th Annual International Conference on Privacy, Security & Trust (PST)10.1109/PST55820.2022.9851978(1-10)Online publication date: 22-Aug-2022
https://doi.org/10.1109/PST55820.2022.9851978
Guri M(2022)ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs2022 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR54599.2022.9850284(163-170)Online publication date: 27-Jul-2022
https://doi.org/10.1109/CSR54599.2022.9850284

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents