USB drive cyber attack

Aggressive Cyber Campaign Alert! SOGU and SnowyDrive Malware Spreading through Malicious USB Drives

2 Mins Read

PureVPNNewsAggressive Cyber Campaign Alert! SOGU and SnowyDrive Malware Spreading through Malicious USB Drives

According to recent findings from Mandiant, using infected USB drives as a method for cyber-attacks has seen a three-fold increase in the first half of 2023. Mandiant identified two notable campaigns, SOGU and SNOWYDRIVE, which targeted various public and private sector organizations worldwide.

Discussing details

SOGU, recognized as the most widespread USB-based cyber-espionage attack, has been attributed to a China-based cluster known as TEMP.Hex, is also tracked under names such as Camaro Dragon, Earth Preta, and Mustang Panda. 

The campaign has targeted construction, engineering, business services, government, health, transportation, and retail industries in Europe, Asia, and the U.S.

Geographic distribution of TEMP.HEX victims

Source: Mandiant

Interestingly, Mandiant’s observations of the infection chain in the SOGU campaign show similarities to another attack conducted by Mustang Panda, uncovered by Check Point. 

This attack employed a self-propagating malware called WispRider, which spread through compromised USB drives and had the potential to breach air-gapped systems.

Lorem ipsum of attack

The attack starts with a 

  • malicious USB flash drive being connected to a computer, triggering the execution of PlugX (also known as Korplug). 
  • PlugX then decrypts and launches a C-based backdoor named SOGU, which proceeds to exfiltrate targeted files, capture keystrokes, and take screenshots.
Components and the execution chain of this campaign

Source: Mandiant

The second cluster, UNC4698, has utilized: 

  • the USB infiltration method to target oil and gas organizations in Asia with the SNOWYDRIVE malware. 

“SNOWYDRIVE enables the execution of arbitrary payloads on compromised systems and establishes a backdoor, granting remote command execution capabilities. The malware also spreads to other USB drives, facilitating its propagation throughout the network.”

  • In these attacks, victims are enticed to click on a malicious file disguised as a legitimate executable, triggering a chain of malicious actions. 
  • This includes the deployment of a dropper to establish a foothold, followed by the execution of the SNOWYDRIVE implants.
  • SNOWYDRIVE’s functionalities encompass file and directory searches, file uploading and downloading, and launching a reverse shell.

Concluding thoughts

To mitigate the risks associated with such attacks, the researchers at Mandiant recommend prioritizing restrictions on external device access, particularly USB drives. If this is not feasible, organizations should at least conduct scans for malicious files or code before connecting USB drives to internal networks.

author

PureVPN

date

July 18, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

2026 Could Be the Year of Mandatory Age Verification: What Platforms Need to Prepare For

2026 Could Be the Year of Mandatory Age Verification: What Platforms Need to Prepare For
Posted on January 6, 2026
Gen Z vs. the Government: What are the Reasons for the TikTok Ban in the US? 

Gen Z vs. the Government: What are the Reasons for the TikTok Ban in the US? 
Posted on December 19, 2025
OpenAI Users in Panic After Silent Mixpanel Data Leak – The Analytics Tool You Didn’t Know Was Spying

OpenAI Users in Panic After Silent Mixpanel Data Leak – The Analytics Tool You Didn’t Know Was Spying
Posted on November 27, 2025

Have Your Say!!