A new type of stealth malware called USB Thief can reportedly infect air-gapped systems without leaving any signs...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
behind. How does USB Thief work and what, if anything, can enterprises do to mitigate this attack?
USB Thief is a new type of malware discovered by ESET. Little is known about the malware because only part of it has been identified and analyzed. ESET explains how USB Thief uses multiple stages in its attacks on air-gapped systems, has the ability to encrypt itself and limits where it can run to prevent analysis. The target of the attack appears to be stealing data from the infected systems.
ESET stated in its blog post that USB Thief leaves no evidence when it has been used. The USB malware does not save any files on the local system. Enterprises have several options to mitigate this attack. They should assume targeted malware will bypass whatever antimalware tools in place and have defense-in-depth controls to monitor and investigate potentially suspicious activity. Windows has built-in functionality for logging in the event log each time a USB device is inserted into a system. An enterprise could then monitor the logs for any time a USB device is inserted and respond accordingly. Windows has functionality to record any time a file is accessed on the system and log that event. Windows can log all files executed on the local system, but it is unclear how the USB Thief malware would show up in the event log when the dynamic link library (DLL) was injected into the targeted executable. All of this data would need to be monitored and analyzed by the enterprise, so that if potentially suspicious events were logged, the enterprise could send an incident response team or investigate the system for suspicious activity.
For systems in high security areas, USB drives can be disabled or have the capability to execute files disabled, which could also prevent this attack. But disabling USB drives might not be possible on general use systems because of the limitations on functionality. Some host-based intrusion detection systems, antimalware, whitelisting or other third-party endpoint security tools also have similar functionality for logging or controlling access to USB drives and files accessed on the system.
Find out the best practices for implementing an air-gapped enterprise network
Learn how to mitigate data theft from USB devices
Read about the new features on Windows Defender Advanced Threat Protection
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.