This Tick Can Fly Through Airgaps

An airgapped machine is a computer that is so heavily secured that it has no physical or digital connections to any networks. They’re usually also heavily physically secured in datacenters and server rooms with carefully monitored physical access. To put new data into an airgapped machine, typically a cybercriminal would have to physically breach the facility that it’s in and use some sort of external or removable media for their attack, such as an optical disc, a USB drive, or an external hard disk. Using airgapped machines is really inconvenient, so computers are usually only airgapped if they handle very, very sensitive data. That makes them especially attractive targets for attackers. If an airgapped machine was a purse, it would be a Hermès white Himalaya crocodile diamond Birkin bag whereas a typical client machine would be one of my beloved Tokidoki bags. (I much prefer my Tokidoki bags, by the way.)

Palo Alto Networks Unit 42 discovered signs of a new attack for airgapped machines. Tick is a cyberespionage group that has targeted entities in South Korea and Japan. There’s a Korean defense contractor which makes USB drives according to very niche IT Security Certification Center guidelines for Korean public sector and private sector enterprise clientele. Unit 42 discovered that at least one of the USB drives have very carefully crafted malware on them. But Unit 42 researchers haven’t physically possessed any of the compromised USB drives. It should be difficult for an external party to get malware on one of those devices in the first place. Unit 42 calls the malware SymonLoader, and it exclusively exploits Windows XP and Windows Server 2003 vulnerabilities.

So Tick has been trying to attack airgapped machines with versions of Windows which haven’t been supported for a long time. Do a lot of these airgapped machines run legacy operating systems? It’s highly probable that Tick carefully fingerprinted their targets before they started developing SymonLoader.

Here’s the attack scenario that Unit 42 hypothesizes. Tick somehow acquired and compromised some of these heavily secured USB drives. They put their SymonLoader malware on them whenever they can acquire access to them. Once a compromised drive is mounted into a targeted airgapped Windows XP or Windows Server 2003 machine, SymonLoader exploits vulnerabilities which only pertain to those operating systems. While SymonLoader is in memory, if more heavily secured USB drives are detected as mounted to the file system, it’ll try to load the unknown malicious file using APIs designed for file system access. It’s the cycle of very specifically designed malware for very specific targets! It’s custom tailored haute couture Windows malware! It’s too exclusive for little people like me! (I use currently supported Linux Mint anyway.) Because Unit 42 doesn’t have any of the compromised drives in their possession, they can only speculate how the drives have been infected and how they’re delivered to their targets.

Tick has been known to turn legitimate applications into Trojans. Here’s what Unit 42 wrote about HomamDownloader last summer:

“HomamDownloader is a small downloader program with minimal interesting characteristics from a technical point of view. HomamDownloader was discovered to be delivered by Tick via a spearphishing email. The adversary crafted credible email and attachment after understanding the targets and their behavior…

In addition to the social engineering email technique, the attacker also employs a trick to the attachment. The actor embedded malicious code to a resource section of the legitimate SFX file created by a file encryption tool, and modified the entry point of the program for jumping to the malicious code soon after the SFX program starts. The malicious code drops HomamDownloader, then jumps back to the regular flow in the CODE section, which in turn asks the user the password and decrypts the file. Therefore, once a user executes the attachment and sees the password dialog on SFX, the downloader dropped by the malicious code starts working even if the user chooses the Cancel on the password window.”

Now it’s time to return to SymonLoader. Once a USB drive with SymonLoader is mounted into one of Tick’s targets, it tries to have the user execute it by using a Trojanized version of some sort of software that the user would want to install in their environment. Once executed, SymonLoader looks for other secured USB drives if and when they’re mounted into the file system.

SymonLoader extracts a hidden executable file from a special secured USB drive and then executes it. Unit 42 researchers haven’t had a copy of the file to examine for themselves. But they’re pretty confident that Tick is behind this attack because they’ve found shellcode which resembles shellcode the group has previously been known to use.

SymonLoader checks the machine for its version of Windows and if it’s newer than Windows Server 2003 or Windows XP, then it stops trying to do anything else. Windows Vista is its kryptonite, I guess. If the machine’s OS is Windows XP or Windows Server 2003, then a hidden window is executed which continuously checks for mounted drives as they become part of the file system. SymonLoader uses the SCSI INQUIRY command to verify if any of the newly mounted drives are of the specifically secured device model they’re looking for. If the parameters are ever matched, SymonLoader then extracts an unknown file from the USB drive.

Not a lot else is known about how SymonLoader behaves or why, but Unit 42 wrote this:

“While we do not have a copy of the file hidden on the secure USB, we have more than enough information to determine it is more than likely malicious. Weaponizing a secure USB drive is an uncommon technique and likely done in an effort to compromise airgapped systems, which are systems that do not connect to the public internet. Some industries or organizations are known for introducing air gapping for security reasons. In addition, outdated version operating systems are often used in those environments because of no easy-update solutions without internet connectivity. When users are not able to connect to external servers, they tend to rely on physical storage devices, particularly USB drives, for data exchange. The SymonLoader and secure USB drive discussed in this blog may fit for this circumstance.”

That’s some MacGyver-level malware development and distribution. It would be fascinating and illuminating to know who Tick’s specific targets are, because it’s clear that they really, really want something from them.