USBCulprit: USB-borne Air-Gap Malware

Mordechai Guri

doi:10.1145/3487405.3487412

USBCulprit: USB-borne Air-Gap Malware

Mordechai Guri

Department of Software and Information Systems Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs.

Original language	English
Title of host publication	Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021
Publisher	Association for Computing Machinery
Pages	7-13
Number of pages	7
ISBN (Electronic)	9781450390491
DOIs	https://doi.org/10.1145/3487405.3487412
State	Published - 10 Nov 2021
Event	2021 European Interdisciplinary Cybersecurity Conference, EICC 2021 - Virtual, Online, Romania Duration: 10 Nov 2021 → 11 Nov 2021

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	2021 European Interdisciplinary Cybersecurity Conference, EICC 2021
Country/Territory	Romania
City	Virtual, Online
Period	10/11/21 → 11/11/21

Keywords

APT
Air-gap
Covert channels
Malware
USB
exfiltration

ASJC Scopus subject areas

Human-Computer Interaction
Computer Networks and Communications
Computer Vision and Pattern Recognition
Software

Access to Document

10.1145/3487405.3487412

Cite this

@inproceedings{cb18e8a77b2d4f24a79c9208258ecd19,

title = "USBCulprit: USB-borne Air-Gap Malware",

abstract = "Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs. ",

keywords = "APT, Air-gap, Covert channels, Malware, USB, exfiltration",

author = "Mordechai Guri",

note = "DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.; 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021 ; Conference date: 10-11-2021 Through 11-11-2021",

year = "2021",

month = nov,

day = "10",

doi = "10.1145/3487405.3487412",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "7--13",

booktitle = "Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021",

}

Guri, M 2021, USBCulprit: USB-borne Air-Gap Malware. in Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021. ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 7-13, 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021, Virtual, Online, Romania, 10/11/21. https://doi.org/10.1145/3487405.3487412

TY - GEN

T1 - USBCulprit

T2 - 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021

AU - Guri, Mordechai

N1 - DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.

PY - 2021/11/10

Y1 - 2021/11/10

N2 - Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs.

AB - Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs.

KW - APT

KW - Air-gap

KW - Covert channels

KW - Malware

KW - USB

KW - exfiltration

UR - http://www.scopus.com/inward/record.url?scp=85120520741&partnerID=8YFLogxK

U2 - 10.1145/3487405.3487412

DO - 10.1145/3487405.3487412

M3 - Conference contribution

T3 - ACM International Conference Proceeding Series

SP - 7

EP - 13

BT - Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021

PB - Association for Computing Machinery

Y2 - 10 November 2021 through 11 November 2021

ER -

USBCulprit: USB-borne Air-Gap Malware

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this