• ProgIST CyberSec Division

Removable device based threats on the rise



Recently, cyber security researchers took down a scam of a botnet comprising at least 35,000 Windows systems that the attackers were using to secretly mine Monero cryptocurrency.


The botnet, identified as VictoryGate has been active since May 2019, with the infections mainly reported in Peru, Latin America - accounting for 90% of the compromised devices.


The main function of the botnet is mining Monero cryptocurrency. The victims include organizations in public and private sectors, including financial institutions. VictoryGate transmits via removable devices such as USB drives, which, when connected to the victim's machine, installs a malicious payload into the system. In addition, the botnet also communicates with its C2 server to receive a secondary payload that injects arbitrary code into legitimate Windows processes, such as introducing XMRig mining software into the process or Boot File Servicing Utility, thus facilitating mining of Monero cryptocurrency.


With USB drives being used as a vector to spread the botnet, new infections can occur in the future. But with a large amount of C2 infrastructure sinkholed, the bots will no longer able to receive secondary payloads. However, machines compromised before the C2 servers were taken down would still continue to mine the cryptocurrency.


In recent times, USB or removable device based threats are on the rise. A few weeks ago, another group of cyber criminals shipped BadUSB devices to targets. The malicious USB devices were accompanied with fake gift cards to to entice the would-be victims.


Businesses in the US were warned that they might be targeted by a malicious new scheme being practiced by the Carbanak Group also known as the Navigator or the FIN7 Group. The infamous group has already been linked to more than $1 billion in fraud, typically by infecting point-of-sale devices with malware and using it to steal payment card details in the past.


Now, the group has a new trick up its sleeves.! The group is mailing a USB storage device to the victims, with a goody and supposed-to-be $50 gift card to Best Buy also accompanied by a letter reading that the victim can spend it on any product from the list of items presented on a USB device. All a victim has to do is plug the USB device into their computer and it does it's magic.


Other way which the attackers use to target the victims is by dropping malicious USB devices in a target's parking lot, waiting room, reception area or desk.



A complex form of USB based threats are well known as Rubber Ducky attacks, where what looks like a normal USB drive is actually, a malicious USB keyboard preloaded with keystrokes. Typically, these types of attacks are so explicitly targeted that it's rare to find them coming from actual attackers in the wild.


BadUSB devices are USB storage devices with their firmware rewritten to facilitate malicious activities, thus giving attackers the ability to bypass endpoint antivirus solutions and gain access to any system into which the USB device gets plugged in.


With the USB based threat rolling in to become an agony to the organizations worldwide, the question arises - What should we as organizations do ??


THE ANTIDOTE: ProPhish Employee Awareness Program


ProPhish Employee Awareness Program (PEAP) is here to help you.! As the name suggests, our program comprises of numerous activities to train your most important first line of defense in the organization - the employees. 95% of all successful cyber attacks are caused due to human error. Hence it is undoubtedly important to train your employees not to fall prey to the cyber attacks.


PEAP provides an exclusive USB based threat simulation by recreating real life scenarios such as placing malicious USB devices in your office parking lot, waiting room, reception area or employees' desks. This simulation helps in defining your existing employee awareness levels and basis on that, preparing a plan of action to increase employees' knowledge levels.


To know more about PEAP - reach us out at info@progist.net

  • LinkedIn
  • Twitter
  • Facebook

© 2020 by Progist.