USBCulprit: USB-borne Air-Gap Malware

USBCulprit: USB-borne Air-Gap Malware

연구 분야: Safety

학회: EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs.