Has Cloud killed removable media?

With the increase of USB-delivered malware campaigns it seems old fashions have become popular again. In the age of cloud computing, it felt that cybersecurity threats sourced from removable media were a thing of the past. Ironically, the last three quarters of 2023 have delivered a painful reminder that the reign of USB Malware attacks is here to stay.

Alarming statistics indicate that a significant percentage of malware discovered on USB drives, particularly those used in industrial facilities, possess the capability to target and disrupt critical industrial control systems (ICS). Some reports even mention that a staggering 81% of malware found on USB drives in industrial settings can potentially disrupt ICS operations.

Jacked In

Despite the obvious limitations of USB attacks to physically target victim’s devices, their ability to bypass legacy security tools and infiltrate into air-gapped networks makes them a forceful weapon in the hands of hackers, cybercriminals, and state-sponsored actors. with researchers noting a three-time increase in malware distributed through USB drives in the first half of 2023, as reported by Mandiant. 300% increase in USA cyber attacks in only 6 months is not something an organization can ignore.

In this blog, we’ll delve into the return of the BadUSBs and investigate the most popular removable media attacks for 2023. As we found so many of them, the review will be split into 2 separate blogs. The attacks are listed below in random order.

Raspberry Robin

The “Raspberry Robin” worm, distributed via USB drives using “autorun.inf” files or clickable LNK files, gained notoriety. It was favored by the China-related espionage group Camaro Dragon, using USB drives as a global infection vector.

The infection begins when a user connects an infected USB device and triggers a “junk” file containing an MSIExec command. Obfuscation techniques aim to evade detection. This command downloads a remote file and executes the malware payload using RunOnce.exe. To avoid detection, Raspberry Robin temporarily renames the RunOnce key during write operations.


Snowydrive, attributed to the threat group UNC4698, primarily focused on targeting oil and gas firms operating in Asia.

Snowydrive operates as a covert threat campaign, infecting computers using a shellcode-based backdoor. Once inside, it can execute arbitrary payloads through the Windows command prompt, modify the Windows registry, and perform various file and directory actions.

The backdoor deployed by Snowydrive is versatile and supports a wide array of commands. These commands enable the malware to conduct file operations, exfiltrate data, establish reverse shells for remote access, execute commands, and gather reconnaissance on the infected system.

The UNC4698 cyber-campaign was notably involved in a China-nexus campaign in November that exploited USB devices to target entities in the Philippines. This operation involved the use of four distinct malware families, highlighting the threat group’s dedication to its objectives in the region.


USB-borne malware has emerged as a multi-phased weapon in cyber campaigns targeting industrial facilities. Its adaptability and ability to exploit the vulnerabilities posed by USB removable media make it a significant concern for the manufacturing and industrial sectors.

Recent findings highlight the escalating threat posed by USB-borne malware. The threats attempting to infiltrate industrial and operational technology (OT) environments have not only grown in number but also sophistication and potential risk to operations. USB-borne malware has become a pivotal component in larger cyberattack campaigns aimed at industrial targets.


Pteranodon (AKA Pterodo) is a customized remote access trojan PowerShell script spreading via USB devices. Pterodo copies itself to the infected machine, then enumerates all drives, and copies itself to removable ones.

According to a Symantec report, Russia-linked hacking group “Shuckworm”  (aka “Gamaredon” or “Armageddon”) used USB drives infected with Pterodo to reach air-gapped machines within targeted compromised Ukrainian military networks and associated personnel.

The attack is executing from a file (base64 encoded script named “foto.safe”) that had been dropped by the infected USB

In many cases, the actors are physically leaving USB drives around to be taken by the victims. In fact, removable media with the “foto.safe” payloads were still detected during the second half of 2023.

Wish to learn how to protect your organization from BadUSB, check out our Kiosk solution.

Side B