USBStealer
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."(Citation: ESET Sednit USBStealer 2014) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy) |
Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
USBStealer exfiltrates collected files via removable media from air-gapped victims.(Citation: ESET Sednit USBStealer 2014) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
USBStealer has several commands to delete files associated with the malware from the victim.(Citation: ESET Sednit USBStealer 2014) |
.006 | Indicator Removal: Timestomp |
USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.(Citation: ESET Sednit USBStealer 2014) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
USBStealer mimics a legitimate Russian program called USB Disk Security.(Citation: ESET Sednit USBStealer 2014) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.(Citation: ESET Sednit USBStealer 2014) |
References
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.