Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

ID: T1091
Sub-techniques:  No sub-techniques
Platforms: Windows
System Requirements: Removable media allowed, Autorun enabled or vulnerability present that allows for code execution
Permissions Required: User
Version: 1.1
Created: 31 May 2017
Last Modified: 20 July 2021

Procedure Examples

ID Name Description
S0092 Agent.btz

Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.[1]

G0007 APT28

APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[2]

S0023 CHOPSTICK

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[3][2][4]

S0608 Conficker

Conficker variants used the Windows AUTORUN feature to spread through USB propagation.[5][6]

S0115 Crimson

Crimson can spread across systems by infecting removable media.[7]

G0012 Darkhotel

Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[8]

S0062 DustySky

DustySky searches for removable media and duplicates itself onto it.[9]

G0046 FIN7

FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.[10]

S0143 Flame

Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.[11]

S0132 H1N1

H1N1 has functionality to copy itself to removable media.[12]

G0129 Mustang Panda

Mustang Panda has used a customized PlugX variant which could spread through USB connections.[13]

S0385 njRAT

njRAT can be configured to spread via removable drives.[14][15]

S0650 QakBot

QakBot has the ability to use removable drives to spread through compromised networks.[16]

S0458 Ramsay

Ramsay can spread itself by infecting other portable executable files on removable drives.[17]

S0028 SHIPSHAPE

APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.[18]

S0603 Stuxnet

Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.[19]

G0081 Tropic Trooper

Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine.[20]

S0130 Unknown Logger

Unknown Logger is capable of spreading to USB devices.[21]

S0386 Ursnif

Ursnif has copied itself to and infected removable drives for propagation.[22][23]

S0452 USBferry

USBferry can copy its installer to attached USB storage devices.[20]

S0136 USBStealer

USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[24]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. [25]

M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [26] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [27]

M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

ID Data Source Data Component
DS0016 Drive Drive Creation
DS0022 File File Access
File Creation
DS0009 Process Process Creation

Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

References