<<< JPCERT/CC Alert 2017-03-30 >>>
Alert on cyber attacks stealing data from USB storage devices
JPCERT/CC has received information on cyber attacks that steal data
stored on USB storage devices. In these attacks, attackers infect
machines with malware. When a USB storage device is connected to an
infected machine, a list of files in the storage is automatically
generated, from which the data is screened and stolen.
This attack method makes it possible to steal confidential data from
a USB storage device even when information is being managed within a
System administrators are recommended to check whether any unauthorized
programs are running within the organizations' machines and to reconsider
the handling of information when using USB storage devices.
II. Reported Attack Method
(1) Attacker infects an Internet-connected machine with malware.
(2) When a USB storage device is mounted to an infected machine, a list
of the files in the storage device is generated in the machine.
(3) The attacker checks the generated file list, and creates a list of
targeted files on the machine.
(4) Based on the file list created in (3), the targeted files from the
USB storage device are compressed and stored on the infected machine.
(5) Compressed files are divided into small parts and exfiltrated
through another machine which is infected with malware.
Characteristics of malware that check the list of files in a USB
storage device is as follows. Note that depending on the configuration
of the attack target, file configuration to change.
* The following files are placed under "C:\intel\logs", "C:\Windows\system32"
- An executable file with name similar to a legitimate executable file
intelUPD.exe, intelu.exe, IgfxService.exe
- A generated file list
- A compressed file for exfiltration
For machines that can access to Internet, caution must be taken when
handling information through a USB storage device. If files listed in
"II. Reported Attack Method" are observed, there is a possibility of
malware infection, therefore, please contact JPCERT/CC.
Consider changing operations when handling information through a USB
storage device. For example, use a machine that is disconnected from the
Internet when handling confidential files, using encryption, etc.
It is also recommended to check logs for any remote operations or
evidence of an attacker presence. For details on how to check logs,
please refer to the following document.
Analysis and utilization of logs to counter sophisticated cyber attacks (Japanese)
Alert on cyber attacks (PDF) (Japanese)
V. Contact Information
JPCERT/CC Incident Response Group
Tel: 03-3518-4600 Fax: 03-3518-2177
JPCERT/CC Watch and Warning Group
Tel: 03-3518-4600 Fax: 03-3518-4602
If you have any information regarding this alert, please contact
JPCERT Coordination Center (JPCERT/CC)
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602