T1091 Replication Through Removable Media
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.
Item | Value |
---|---|
ID | T1091 |
Sub-techniques | |
Tactics | TA0008, TA0001 |
Platforms | Windows |
Permissions required | User |
Version | 1.1 |
Created | 31 May 2017 |
Last Modified | 20 July 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0092 | Agent.btz | Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.13 |
G0007 | APT28 | APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.6 |
S0023 | CHOPSTICK | Part of APT28‘s operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.567 |
S0608 | Conficker | Conficker variants used the Windows AUTORUN feature to spread through USB propagation.1718 |
S0115 | Crimson | Crimson can spread across systems by infecting removable media.9 |
G0012 | Darkhotel | Darkhotel‘s selective infector modifies executables stored on removable media as a method of spreading across computers.25 |
S0062 | DustySky | DustySky searches for removable media and duplicates itself onto it.24 |
G0046 | FIN7 | FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.27 |
S0143 | Flame | Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.23 |
S0132 | H1N1 | H1N1 has functionality to copy itself to removable media.16 |
G0129 | Mustang Panda | Mustang Panda has used a customized PlugX variant which could spread through USB connections.26 |
S0385 | njRAT | njRAT can be configured to spread via removable drives.2122 |
S0650 | QakBot | QakBot has the ability to use removable drives to spread through compromised networks.8 |
S0458 | Ramsay | Ramsay can spread itself by infecting other portable executable files on removable drives.10 |
S0028 | SHIPSHAPE | APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.12 |
S0603 | Stuxnet | Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.4 |
G0081 | Tropic Trooper | Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine.11 |
S0130 | Unknown Logger | Unknown Logger is capable of spreading to USB devices.14 |
S0386 | Ursnif | Ursnif has copied itself to and infected removable drives for propagation.1920 |
S0452 | USBferry | USBferry can copy its installer to attached USB storage devices.11 |
S0136 | USBStealer | USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.15 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. 3 |
M1042 | Disable or Remove Feature or Program | Disable Autorun if it is unnecessary. 1 Disallow or restrict removable media at an organizational policy level if it is not required for business operations. 2 |
M1034 | Limit Hardware Installation | Limit the use of USB devices and removable media within a network. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0016 | Drive | Drive Creation |
DS0022 | File | File Access |
DS0009 | Process | Process Creation |
References
-
Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016. ↩
-
Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016. ↩
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩
-
Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. ↩
-
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. ↩
-
Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. ↩↩
-
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. ↩
-
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. ↩
-
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. ↩
-
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩↩
-
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. ↩
-
Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016. ↩
-
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. ↩
-
Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. ↩
-
Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. ↩
-
Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. ↩
-
Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. ↩
-
Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. ↩
-
Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019. ↩
-
Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. ↩
-
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. ↩
-
Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017. ↩
-
ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. ↩
-
Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. ↩
-
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. ↩