USBcat - Towards an Intrusion Surveillance Toolset

TL;DR

This paper presents USBcat, a covert intrusion surveillance framework utilizing USB channels to monitor and investigate cyber-attacks stealthily, enabling detailed attacker analysis and counter-intelligence operations.

Contribution

It introduces an extensible framework for covert malware investigation and a novel USB-based covert channel for remote control, enhancing current cybersecurity investigation tools.

Findings

Successfully designed and implemented the USBcat toolset.

Validated the framework through testing and demonstration.

Enabled covert, remote malware investigation capabilities.

Abstract

This paper identifies an intrusion surveillance framework which provides an analyst with the ability to investigate and monitor cyber-attacks in a covert manner. Where cyber-attacks are perpetrated for the purposes of espionage the ability to understand an adversary's techniques and objectives are an important element in network and computer security. With the appropriate toolset, security investigators would be permitted to perform both live and stealthy counter-intelligence operations by observing the behaviour and communications of the intruder. Subsequently a more complete picture of the attacker's identity, objectives, capabilities, and infiltration could be formulated than is possible with present technologies. This research focused on developing an extensible framework to permit the covert investigation of malware. Additionally, a Universal Serial Bus (USB) Mass Storage Device (MSD) based covert channel was designed to enable remote command and control of the framework. The work was validated through the design, implementation and testing of a toolset.