ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool USBferry

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: USBferry

NamesUSBferry
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Trend Micro) USBferry has variants that perform different commands depending on specific targets; it can also combine capabilities, improve its stealth in infected environments, and steal critical information through USB storage.

Specific functions will be embedded in the trojan downloader to adopt the target environment. Our in-depth analysis found that when Tropic Trooper first penetrates the victim's environment, they will use basic sourcing scripts to collect the host network’s topology, connection capability, and volume information. The second function uses USB storage to copy highly classified documents from the physically isolated environment. Moreover, this function copies certain files into the USB %RECYCLER% folder, monitors files’ modified time, and updates the newest one to the USB device. The last function will infiltrate the target’s internal machine with a customized Windows command and reverse backdoor malware.
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/>
<https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0452/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry>

Last change to this tool card: 30 December 2022

Download this tool card in JSON format

Previous: UsbExe
Next: USBStealer

All groups using tool USBferry

ChangedNameCountryObserved

APT groups

 Tropic Trooper, Pirate Panda, APT 23, KeyBoyChina2011-Jul 2020 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]