USB Thief, a new threat to data, is capable
of stealthy attacks against air-gapped systems and is also well
protected against detection and reverse-engineering.
ESET researchers have discovered a new data-stealing Trojan malware, detected by ESET as Win32/PSW.Stealer.NAI and dubbed
USB Thief. This malware exclusively uses USB devices for
propagation, without leaving any evidence on the compromised computer.
Its creators have also employed special mechanisms to protect the
malware from being reproduced or copied, which makes it
even harder to detect and analyse.
It seems that this malware was created for targeted attacks on systems isolated from the internet.
The fact that USB Thief is run from a USB removable
device means that it leaves no traces, and thus, victims don’t even
notice that their data were stolen. Another feature – and one that makes
USB Thief unusual – is that it is bound to
a single USB device which prevents it from leaking from the target
systems. On top of all that, USB Thief has sophisticated implementation
of multi-staged encryption that is also bound to features of the USB
device hosting it. That makes USB Thief very difficult
to detect and analyse.
USB Thief can be stored as a plugin source of
portable applications or as just a library – DLL – used by the portable
application. Therefore, whenever such an application is executed, the
malware will also be run in the background. This
is not a very common way to trick users, but very dangerous. People
should understand the risks associated with USB storage devices obtained
from sources that may not be trustworthy.
Additional details about the USB Thief Trojan can be found in an
interview with Tomas Gardon or in a technical article on
ESET Ireland’s official IT security blog.