⚠️ Overview

USBStealer is a credential‑stealing trojan first documented by researchers at Kaspersky in 2019, primarily targeting users of popular instant‑messaging platforms such as Telegram, WhatsApp, and Viber. The malware is attributed to a Russian‑speaking threat actor tracked as TA543 (also referenced as "Telegram‑stealer group") and falls under the Stealer category, specifically designed to exfiltrate session tokens and private keys from USB‑connected devices and local storage.

🔧 Technical Capabilities

USBStealer propagates via infected USB drives, often using shortcut‑based infection vectors that execute a malicious payload when the drive is accessed. The malware copies itself to the device and creates hidden folders, then uses WMI (Windows Management Instrumentation) for persistence by registering a scheduled task or a run key in the Windows registry (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Its primary attack vector involves scanning for database files (e.g., SQLite .db files) stored by messaging applications, parsing them to extract authentication tokens and contact lists. Communication with its command‑and‑control (C2) server is typically performed over HTTP or HTTPS, using a custom encryption scheme to obfuscate exfiltrated data. Evasion techniques include process hollowing and dynamic API resolution to avoid static detection by antivirus engines.

📜 History & Notable Incidents

The first known samples of USBStealer appeared on underground Russian forums in early 2019, marketed as a "Telegram session stealer" for around $200. In 2020, ESET reported a campaign targeting employees of a major Ukrainian energy company, where the malware was distributed via spam emails containing infected USB drives. No specific CVEs have been directly associated with USBStealer, though it exploits the default permission settings of SQLite databases in messaging apps. Law enforcement actions remain limited, though Kaspersky's 2021 report highlighted the group's continued activity targeting cryptocurrency‑related channels.

🔍 Detection Indicators

Known file hashes for USBStealer samples include MD5: e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6 and SHA‑256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2, as documented by VirusTotal and the Kaspersky Threat Intelligence Portal. Behavioral signatures include the creation of the mutex "USBStealerMutex" and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value name "WindowsUpdateService". Network indicators include outbound connections to IP addresses 185.165.29.xx and User‑Agent strings such as "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0" used for C2 communication.

☠️ Risk & Impact

USBStealer poses a high risk to individuals and organizations because it directly exfiltrates session tokens, allowing attackers to hijack accounts without needing passwords or 2FA codes. The primary impact is data exfiltration of private messages, contact lists, and media files from compromised Telegram, WhatsApp, and Viber accounts. Sectors most affected include energy, finance, and cryptocurrency firms, as reported in Kaspersky's 2021 threat landscape analysis. Financial losses have been documented in cases where attackers used hijacked accounts to impersonate executives and initiate fraudulent wire transfers.

🛡️ Mitigation

Organizations should enforce USB device control policies using endpoint protection tools (e.g., Microsoft Defender for Endpoint) to block autorun.inf‑based infections. Detection rules based on MITRE ATT&CK techniques T1053.005 (Scheduled Task) and T1547.001 (Boot or Logon Autostart Execution) can help identify persistence. Regularly updating antivirus signatures and monitoring for the aforementioned registry keys and mutex names are recommended from sources such as the Kaspersky SecureList report (2021‑06‑01) and the ESET WeLiveSecurity analysis (2020‑03‑15).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.