USBWorm
USBWorm is a malware component used by Transparent Tribe (also known as PROJECTM / MYTHIC LEOPARD). Public reporting cited in the content states it began being used at the beginning of 2019 as part of the Crimson malware ecosystem. It is more than a simple USB infector: it can infect removable media, steal files of interest from removable drives, and download and execute the Crimson Thin Client from a remote Crimson server to bootstrap new infections. The broader campaign context describes initial compromise via spear-phishing emails carrying malicious Microsoft Office documents with VBA macros that drop an encoded ZIP under %ALLUSERPROFILE% and extract the Crimson Thin Client. USBWorm establishes persistence by copying itself to a configured directory and creating a Run key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It infects removable media by hiding legitimate directories and placing copies of itself using the same directory names with hidden attributes and a folder-like icon to trick users into execution. Reported theft targets on removable media include files with extensions .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, and .txt. A USBWorm-related path observed in the content is C:\ProgramData\Dacr\macrse.exe, used for saving a payload received from C2 when invoking the usbwrm command. The associated activity is linked to espionage operations primarily targeting Indian military and government personnel, with increased focus on Afghanistan; Kaspersky telemetry cited in the content reported more than 1,000 distinct victims across 27 countries from June 2019 to June 2020, with most detections related to USBWorm.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“TransparentTribe started using a new module named USBWorm at the beginning of 2019…”
“The USBWorm component is real… USBWorm is much more than a USB infector. In fact, it can be used… [to] download and execute the Crimson ‘Thin Client’, infect removable devices… [and] steal files of interest from removable devices.”
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A removable-media worm used to propagate via USB drives by hiding real directories and replacing them with malware copies using folder-like icons to trick execution. It steals documents from removable media (e.g., .pdf/.doc/.xls/.ppt/.txt), maintains a local list of stolen filenames, and can bootstrap new infections by contacting a Crimson Server to download/execute the Crimson Thin Client when run on an uninfected host. Persists via HKCU Run key.
Module used to download/execute files, spread via removable devices, and steal files of interest (including from hosts disconnected from the internet).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.