Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Malware Uses USBs to Help Steal Data: Report

Kaspersky: USBCulprit Malware Used Against Targets in Southeast Asia
Malware Uses USBs to Help Steal Data: Report

A hacking group is deploying a new malware strain dubbed USBCulprit that uses USBs and other storage devices to assist in stealing data, according to research from the security firm Kaspersky.

See Also: 2021 Cyberthreat Defense Report

This custom-built malware appears to have been developed by an advanced persistent threat group known as Cycldek, which has been active since 2013 and has mainly targeted defense, energy and government organizations in parts of Southeast Asia, especially Vietnam, according to Kaspersky.

And while the USBCulprit malware appears to be delivered through phishing emails, the malicious code, once it's installed on an air-gapped device, can copy and exfiltrate data from that device to portable storage devices, such as a USB drive.

"It is capable of copying itself to any newly connected removable storage," Giampaolo Dedola and Mark Lechtik, security researchers at Kaspersky, tell Information Security Media Group. "That storage - typically a USB - would need to be physically connected to another machine and the malware in it manually executed to spread onward."

While most of the attacks Kaspersky traced to USBCulprit date back to 2018, the malware is still believed to be active in the wild, according to the report. It's not known how many organizations it's targeted and whether any of these resulted in data theft.

"We can only confirm that the group targeted diplomatic entities and government institutions located in Southeast Asian countries," Dedola and Lechtik note. "The malware itself doesn’t distinguish between stolen files based on content but only their extension. Therefore, we are only left to speculate on the nature of documents retrieved from the victims."

Sophisticated Attack

The attacks that Kaspersky tracked start with politically themed phishing emails that contain malicious documents in rich text format. The malware used in the initial phase of these attacks takes advantage of several vulnerabilities in Microsoft Office to infect a targeted device, according to the report.

Once a device is infected, the initial malware deploys a remote access Trojan, or RAT, called NewCore, according to the report. The NewCore RAT comes in two variants called BlueCore and RedCore, which behave in similar ways and use the same infrastructure but are deployed against different targets and are overseen by separate hacking groups within the Cycldek organization, according to Kaspersky.

"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018," according to the report.

BlueCore and RedCore are designed to deploy USBCulprit as the final payload within an infected device, according to the report.


While USBCulprit was only recently discovered and analyzed by Kaspersky, the malicious code dates to 2014 and has slowly changed over the last several years, according to Dedola and Lechtik. One of the biggest changes is that once it's deployed within an infected device, USBCulprit now runs in the system memory and not on a hard drive, the analysts note.

"The malware didn't change much through the years. The most notable modifications were in the way it is loaded and executed, whereby the newer versions would have USBCulprit's payload exposed only in memory after decryption and not on disk, as was done in earlier versions," Dedola and Lechtik tell ISMG.

USBCulprit scans an infected device and runs reconnaissance looking for specific files to copy and exfiltrate. It also has the ability to move laterally through the device, but the malware will wait for the presence of a removable storage device, such as a USB key, before copying and removing files, according to Kaspersky.

"When bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives," according to the report.

Because USBCulprit waits until it detects a USB key or other removable devices, these attacks likely rely on a human operator who gains access to these air-gapped devices, attaches the USB or other storage device and then removes it, according to Kaspersky.

Cycldek Group

The Cycldek hacking group, which is also known as Goblin Panda, APT 27 and Conimes, appears to be Chinese speaking and primarily interested in organizations in Southeast Asia, according to Kaspersky and security firm CrowdStrike, which has also tracked the group's activities.

While primarily interested in Vietnam, Cycldek is also known to target organizations in Thailand and Laos, according to Kaspersky and CrowdStrike.

Other security researchers have found malware that can penetrate air-gapped devices and networks.

For example, in May, the security firm ESET disclosed details about new malware called Ramsay that’s capable of infiltrating air-gapped networks to steal documents, take screenshots and compromise other devices (see: Cyber-Espionage Malware Targets Air-Gapped Networks: Report).

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.