In the past week, three cybersecurity firms have announced they have found malware variants that are being used to target air-gapped networks. First came the news that ESET had discovered Ramsay malware, followed by a report from Kaspersky Lab of a variant of COMpfun malware, named Reductor, that was also being used to steal data from air-gapped networks.
Trend Micro has now announced that it has identified yet another a malware variant –USBFerry – that is being used by the hacking group Tropic Trooper, which has strong links to the China Government. USBFerry is being used to target air-gapped systems used by the military in Taiwan and the Philippines, according to Trend Micro.
While the methods used by each malware variant differ, they are all propagated to air-gapped networks through USB devices. USBFerry is copied onto portable storage devices such as zip drives using USB worm tactics, and the malware is then transferred to air-gapped networks when those devices are connected to non-internet facing isolated networks. The malware checks to determine if there is any network connectivity. If none is found, it proceeds to collect data.
The method of data exfiltration used by Ramsay malware has not yet been identified, but for USBFerry, once transferred to the isolated network, searches are performed to identify certain types of data which are then copied onto the USB device. When that device is connected to a less secure system with internet access, the data is then exfiltrated to the attackers’ command and control server.
Trend Micro reports that it first identified USBFerry in 2018 but has traced attacks by Tropic Trooper using this malware variant to 2014. The attacks have been focused on military and navy targets in both countries, along with national banks, military hospitals and companies in the high-tech sector. Relatively low security targets are identified and attacked initially, which are used to gain a foothold from which attacks can then be launched on much better protected networks, including those that are physically isolated. Trend Micro reports that in one attack, a military hospital was targeted and from there the attackers were able to copy their malware onto a USB device which was used on an air-gapped military network.
At least three different variants of USBFerry malware have been identified by Trend Micro researchers, each of which consists of different components. They also report that in one of the most recent attacks, several backdoors were deployed. The group also uses a range of hacking tools freely available on the internet including a command-line remote control listener/port relay tool, backdoor payload and steganography payload execution loaders, and port scanning tools.