Cybercriminals have been exploiting USB devices to target their victims time and again. This method gained popularity and attention since the famous attack by Stuxnet worm on Iranian nuclear facilities in 2010. And since then, cybercriminals have been using this method time and again to deliver malicious payloads to their targeted victims, as recently performed by the Try2Cry ransomware operators.
Try2Cry uses USB-based propagation
Try2Cry ransomware, identified as a variant of the Stupid ransomware family, was found using infected USBs as an infection vector for its propagation.
- Recently, the Try2Cry ransomware was seen attempting to target Windows computers by using infected USB drives and Windows shortcut LNK files to lure its potential victims.
- The malware encrypts the victim’s files using Rijndael symmetric key encryption algorithm, appends the .Try2Cry extension to the encrypted files, and asks the victims to contact to the attacker at the email Try2Cry@Indea[.]info.
- The malware searches for removable devices attached to the infected system and places a hidden copy of itself named Update.exe in the root folder of the device for further propagation. The malware also creates visible copies of itself placed as an icon folder and Arabic names, to lure victims into clicking them.
Infected USB as an attack vector
In the recent past, several threat actors have been observed using infected USB as an attack vector to target its victims.
- In May, the Tropic Trooper group was seen targeting Taiwanese and Philippine military networks via USBferry attack, where they were seen ferrying a malware installed via USB worm infection to infect air-gapped host machines.
- In April, the VictoryGate botnet was seen propagating via removable USB devices. The victim receives a malicious USB stick that infects the victim’s system with VictoryGate malware, and leverages the infected machine for mining Monero coins.
Malicious USBs as a gift
A noteworthy incident involving a USB-based threat was observed in March, when attackers were seen delivering malicious USB sticks preloaded with keystroke loggers, which lured victims with a letter that appeared to be a gift card from ‘Best Buy’.