USBCulprit Description

The USBCulprit is a threat that has been spotted recently by malware experts. However, evidence would suggest that the USBCulprit malware may have been active since 2014. It would appear that the USBCulprit threat is the creation of a hacking group referred to as Cycldek. The group also is known under the aliases Hellsing, Conimes, and Goblin Panda. Most of the targets of the Cycldek group are high-ranking politicians. The Cycldek hacking group has been going after targets located in South East Asia recently. The Cycledek hackers are known to use a wide variety of tools – infostealers, RATs (Remote Access Trojans), backdoors, etc. However, the most notable hacking tool in the arsenal of the Cycldek group is the USBCulprit threat.

The USBCulprit threat is a complex piece of malware designed to target air-gapped systems. Systems that are referred to as air-gapped are not connected to the Internet, so infiltrating them takes a lot of skill and effort. The USBCulprit threat does not establish a connection with a C&C (Command & Control) server and does not make efforts to connect to the Internet once it is active. However, once it has compromised a targeted system, the USBCulprit will scan its contents looking for specific filetypes. The files that meet the threat’s criteria will be copied and stored in a secret folder. The USBCulprit malware also is able to determine whether there is a USB stick connected to the breached device. If the USBCulprit detects a USB storage device connected to the system, it will copy itself onto it alongside all the files it has obtained from the host.

Air-gapped systems, which have been breached by the USBCulprit threat might have been infected by:

  • A compromised USB device that was carrying the payload of the USBCulprit malware.
  • A crooked employee or another individual who has injected the payload of the USBCulprit on the host manually.

When the USBCulprit threat is compromising a system via an infected USB device, it will look for the presence of a file called ‘1.txt’ in a specific directory on the targeted host. If this specific file exists in the right directory, the USBCulprit threat will proceed with the attack by copying all the previously collected files onto the hard drive of the system. This feature seems very random, but if the creators put it there, then they must have a valid reason to rely on it. One of the plausible scenarios is that the systems that have had this file planted on them are usable for data exfiltration - this way, USBCulprit can recognize them and drop the collected data on them.

Air-gapped systems are regarded as very secure, and breaching them usually requires complex high-tier malware like the USBCulprit threat. However, this does not stop cyber crooks from going the extra mile to infiltrate air-gapped systems as they are considered to be high-value targets.