Security researchers have discovered a new data-stealing Trojan that makes special use of USB devices in order to spread itself and does not leave any trace of activity on the compromised systems.
Dubbed USB Thief ( or Win32/PSW.Stealer.NAI), the malware has the capability of stealthy attacking against air-gapped or isolated computers, warns ESET security firm.
The malware author has employed special programs to protect the USB Thief from being reproduced or copied, making it even harder to detect and reverse-engineer.
USB Thief has been designed for targeted attacks on computer systems that are isolated from the Internet, according to the ESET malware analyst Tomáš Gardoň.
The ‘USB Thief’ Trojan Malware
The USB Thief Trojan malware is stored either as a portable application’s plugin source or as a Dynamically Linked Library (DLL) used by the portable application.
Since USB devices often store popular applications like Firefox, Notepad++ or TrueCrypt portable, once any of these applications is executed, the malware starts running in the background.
USB Thief is capable of stealing data from air-gapped systems – systems that are isolated from the Internet and other external networks.
“Well, taking into account that organizations isolate some of their systems for a good reason,” explained Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.”
The malware runs from a USB removable device, so it don’t leave any traces of its activities, and thus, victims do not even notice that their data had been stolen.
Since the malware is bound to a single USB device, it prevents USB Thief from leaking from the infected computers.
Besides this, USB Thief utilizes a sophisticated implementation of multi-staged encryption that makes the malware harder to detect and analyse.
“This is not a very common way to trick users, but very dangerous,” Stancik said. “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.”
Here’s How you can Protect from being Infected:
More technical details are available on ESET Ireland’s official blog.