USBWorm

USBWorm is a malware component used by Transparent Tribe (also known as PROJECTM / MYTHIC LEOPARD). Public reporting cited in the content states it began being used at the beginning of 2019 as part of the Crimson malware ecosystem. It is more than a simple USB infector: it can infect removable media, steal files of interest from removable drives, and download and execute the Crimson Thin Client from a remote Crimson server to bootstrap new infections. The broader campaign context describes initial compromise via spear-phishing emails carrying malicious Microsoft Office documents with VBA macros that drop an encoded ZIP under %ALLUSERPROFILE% and extract the Crimson Thin Client. USBWorm establishes persistence by copying itself to a configured directory and creating a Run key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It infects removable media by hiding legitimate directories and placing copies of itself using the same directory names with hidden attributes and a folder-like icon to trick users into execution. Reported theft targets on removable media include files with extensions .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, and .txt. A USBWorm-related path observed in the content is C:\ProgramData\Dacr\macrse.exe, used for saving a payload received from C2 when invoking the usbwrm command. The associated activity is linked to espionage operations primarily targeting Indian military and government personnel, with increased focus on Afghanistan; Kaspersky telemetry cited in the content reported more than 1,000 distinct victims across 27 countries from June 2019 to June 2020, with most detections related to USBWorm.