Air Gapped PCs are Still at Risk. The Rise of USB-based Crytojacking Malware

Kaspersky Labs has revealed on their official blog that Africa is the most vulnerable region in the world when it comes to crytojacking via USB malware. Cryptojacking is a new type of malware infection with the goal of mining cryptocurrency for its authors, with the use of the infected PC’s resources such as CPU and GPU cycles. USB flash drives are the best-known bridge of non-networked PCs, popular in the emerging markets that have less PC penetration in decades compared to the first world countries. The possibility of the virus authors to actually “profit” from the cryptocurrency produced by non-networked PC is orders of magnitude lower compared to an Internet-connected PC. But with the constant transfer of the same infected USB flash drives, even with a lower percentage, they still see it as a worthwhile undertaking.

“USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices. Infections caused by removable media are defined as local threats – those that are detected directly on a user’s computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer,” said Kaspersky.

The cybercriminal organizations that develop malware still recognize the millions if not tens of millions of vulnerable non-Internet connected computers are in operations. No Internet connection means two things, since the primary way to spread infection these days is through the Internet it is much safer to operate a computer. It reciprocates the school of thought that the if those non-networked computers have an antimalware installed, it will remain as outdated to protect the PC from newer forms of malware using other channels like USB flash drives and other external media.

Below are some of the keypoints of the report:

• Since 2015, USB-based cryptocurrency mining malware is silently operating on many non-networked PC in the emerging market countries.
• Trojan.Win64.Miner.all is the most prevalent bitcoin mining malware, growing 16.7% from last year.
• Ten percent of all USB flash drive/removable drive-based malware incidents since Jan 2018 were malware. That is a substantial growth compared to just 6.7% the year prior.
• Other than trojans, other forms of removable-media based malware are still spreading to non-networked computers. Trojan.LNK.Gen is also a very noticeable malware with non-Internet connected PCs.

“USB devices were used to inject malware into the facilities’ air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including Equation Group, Flame, Regin and HackingTeam, have all integrated exploits for this vulnerability into removable media to use in attacks. Further, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes,” concluded Kaspersky.