Security researchers have found evidence that a cyberespionage group has somehow compromised secure USB drives used by government agencies in South Korea, which might have allowed them to target air-gapped systems.
“Weaponizing a secure USB drive is an uncommon technique and likely done in an effort to compromise air-gapped systems, which are systems that do not connect to the public internet,” security researchers from Palo Alto Networks said in a blog post.
Air-gapped systems are isolated from the internet and even the local network, often because they serve a critical function or because they run specialized software on older operating systems that cannot be upgraded and properly secured.
The Palo Alto researchers have recently analyzed a malware sample associated with a cyberespionage group known as Trick or Bronze Butler that is known to predominantly target organizations from South Korea and Japan, but also from Singapore, Russia and China. The group has been active for many years.
The new sample was found inside a Trojanized version of a legitimate application, which matches Trick’s modus operandi. However, unlike past samples from the group which installed a custom-made malware program called HomamDownloader, this new sample dropped a previously unknown program that researchers have dubbed SymonLoader.
SymonLoader is interesting because it only infects Windows XP and Windows Server 2003, two operating systems that are no longer supported by Microsoft, but which might exist on air-gapped systems. In addition, the malware binary was compiled in September 2012, which suggests the attackers have been using it for many years, possibly in highly targeted attacks.
SymonLoader also stands out because it creates a service that monitors removable USB devices inserted into the computer and looks for specific drives created by a company from South Korea’s defense industry. This company creates information and communication security equipment used by military, police, government agencies and public institutions, and its secure USB storage devices are certified by South Korea’s IT Security Certification Center.
If such a drive is found, SymonLoader attempts to copy a file from it that is encrypted and stored at the end of the device’s storage area, but outside of the file system. To do this, the malware doesn’t use the standard Windows API, but Logical Block Addressing and SCSI commands to read the data physically from where it expects it to be on the drive.
The Palo Alto researchers haven’t managed to obtain a sample of this file because they would need access to one of the infected secure USB drives. However, this means that attackers must have somehow compromised the drives in advance.
“Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised,” the researchers said. “Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.”
This is not the first time when USB drives have been used to distribute malware to systems that are hard to reach over the internet. The Stuxnet worm had a USB-based distribution system that took advantage of a zero-day vulnerability and was likely used to reach isolated computers inside Iran’s nuclear facility at Natanz.
Researchers have also found malware in the past associated with the Equation group that hid malware by rewriting the firmware of hard-disk drives. In addition, the BadUSB attack showed that it’s possible to reprogram the firmware on USB drives to make them act as keyboards or rogue network cards or to create hidden storage areas.
These attacks should serve as a warning to companies that the USB-based threats have grown in sophistication since the days of autorun worms and might even involve hardware supply-chain compromises.