Cyberespionage group Tick targets air-gapped critical systems with weaponized USB drives

• Palo Alto researchers said the Tick group is now leveraging USB-based attacks to deploy malware
• The cyberespionage group are targeting a specific type of secure USB drive, researchers found

Security researchers have discovered a cyber-espionage group has been weaponizing USB drives to target air-gapped critical systems. According to researchers at Palo Alto Networks’ Unit 42, the group - dubbed “Tick” - has been exploiting a specific type of secure USB drive supposedly certified as secure by South Korean firm ITSCC.

However, the attackers have managed to load malicious files onto the USB devices. It is still unclear how many devices have been compromised and how the devices were corrupted.

"The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet," Palo Alto’s Unit 42 said in a blog post. “In addition, our research shows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003.

“This is despite the fact that the malware appears to have been created when newer versions of Windows software were available. This would seem to indicate an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity.”

Air-gapped systems are widely used in various countries by government, military and defense contractors along with other industry verticals.

Tick’s new USB-based attack

The notorious Tick Group has been known to conduct attack campaigns using custom malware such as Minzen, Datper, Nioupale and HomamDownloader. Researchers believe the Tick group has likely used an older malware that was previously used in some of their earlier attacks.

However, they do not currently have access to the malicious file used in their new USB-based attacks.

According to their hypothesized attack scenario, the Tick group tricks users with a Trojanized version of legitimate software to install the loader program named SymonLoader and infect older Windows systems. Once executed, SymonLoader begins monitoring storage device changes and looks for these specific USB drives. Once detected, it attempts to access the storage through the device driver, accesses a predefined location of the storage on the USB and extracts an unknown executable file before executing it on the compromised system.

Although researchers do not currently have a copy of this file, they said SymonLoader shares code with HomamDownloader - a malware previously used by the Tick group.

Tick’s infamous HomamDownloader

According to Palo Alto’s earlier research, the Tick group has previously Trojanized legitimate programs deployed via spear-phishing emails that were embedded with the HomamDownloader.

“When executed, the Trojanized legitimate application drops HomamDownloader and installs the legitimate program. Recipients may not be aware of the malware as the legitimate application works as expected,” researchers said. The HomamDownloader can then install other malicious files from the remote C2 server.

While the HomamDownloader requires an internet connection to reach its C&C server to download additional payloads, researchers said SymonLoader taps into the unknown hidden payload within the specific type of secure USB drive that is plugged into a compromised system.

"Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised." said the researchers. "Because of this, we are unable to describe the full attack sequence."

Still, Palo Alto says they have “more than enough information” to deduce that the file is likely malicious.

“Weaponizing a secure USB drive is an uncommon technique and likely done in an effort to compromise air-gapped systems, which are systems that do not connect to the public internet,” researchers said. “Some industries or organizations are known for introducing air gapping for security reasons. In addition, outdated versions Operating Systems are often used in those environments because of no easy-update solutions without internet connectivity.

“When users are not able to connect to external servers, they tend to rely on physical storage devices, particularly USB drives, for data exchange. The SymonLoader and secure USB drive discussed may fit for this circumstance.”