Malware for air-gapped systems.
Three security firms have published reports on malware designed to exploit air-gapped computers. ESET researchers uncovered malware they call "Ramsay" that possesses shared artifacts with a backdoor used by the DarkHotel APT, although ESET doesn't attribute Ramsay to any group. Ramsay is "tailored for collection and exfiltration of sensitive documents" within air-gapped networks, and it's delivered to those networks via removable media.
Trend Micro describes USBferry, a newly discovered malware strain used by the Tropic Trooper APT. The malware was deployed in a recent campaign targeting the "Taiwanese and the Philippine military’s physically isolated environment." Tropic Trooper has apparently been using USBferry since at least December 2014. This malware spreads to air-gapped systems via infected USB drives. The researchers explain that "Tropic Trooper is aware that main military or government agencies may have protection strategies in place in physically isolated environments, such as the use of biometrics, secure USB for data transfers, or plugging the USB device into a quarantined machine before using it in a physically isolated environment. Therefore, Tropic Trooper chooses to target related organizations and use them as initial footholds. In this case, we observed how Tropic Trooper actors successfully moved from a military hospital to the military’s physically isolated network."
Kaspersky has been tracking a Trojan using the same codebase as COMPfun that has the capability to spread from one computer to another by infecting USB drives. The Trojan is being used in a campaign targeting European diplomatic entities. The malware's dropper is a spoofed visa application, but the researchers aren't sure how the dropper is delivered. Based on the campaign's victims, Kaspersky attributes the malware to the Russian state-sponsored actor Turla with a "medium-to-low level of confidence."