Last week ESET published a blog post about a new advanced Trojan, capable of accessing sensitive information on air gapped machines. This rare capability enables it to target sensitive networks that have no physical link to the internet. Those networks often contain the most sensitive information in the organization and considered by many attackers as the holy grail of cyber espionage campaigns.

This threat, dubbed USB Thief, utilizes a unique method to infect its victims – spreading through portable apps and disguising itself as one of the app’s DLLs. The “USB Thief” deploys in four different stages, each designed to prevent the malware from executing in hostile environments:


The third stage of the malware terminates itself in the presence of either G Data or Kaspersky endpoint security products. The authors of the malware were probably aware that these vendors successfully detect the fourth stage payload and chose to “”give up”” on machines running them, as an attempt to remain as stealthy as possible.

Minerva Anti-Evasion Platform, simulates multiple endpoint security products all across the protected enterprise’s endpoints.

As a result, the USB Thief and other evasive threats are prevented in Minerva-protected workstations. Minerva’s platform is also capable of alerting the enterprise SOC when a malicious program tries to evade detection, allowing for quick and risk-free reaction.