USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
USBferry can use |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1005 | Data from Local System |
USBferry can collect information from an air-gapped host machine.[1] |
|
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1120 | Peripheral Device Discovery | ||
| Enterprise | T1057 | Process Discovery |
USBferry can use |
|
| Enterprise | T1018 | Remote System Discovery |
USBferry can use |
|
| Enterprise | T1091 | Replication Through Removable Media |
USBferry can copy its installer to attached USB storage devices.[1] |
|
| Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
USBferry can execute rundll32.exe in memory to avoid detection.[1] |
| Enterprise | T1016 | System Network Configuration Discovery |
USBferry can detect the infected machine's network topology using |
|
| Enterprise | T1049 | System Network Connections Discovery |
USBferry can use |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0081 | Tropic Trooper |