Replication Through Removable Media

From ATT&CK
Jump to: navigation, search
Replication Through Removable Media
Technique
ID T1091
Tactic Lateral Movement
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
System Requirements Removable media allowed, Autorun enabled or vulnerability present that allows for code execution
Permissions Required User
Data Sources File monitoring, Data loss prevention

Adversaries may move to additional systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into another system and executes. This may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system.

Examples

  • Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.1
  • Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.2
  • APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.3
  • DustySky searches for removable media and duplicates itself onto it.4
  • Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.5
  • Unknown Logger is capable of spreading to USB devices.6
  • H1N1 has functionality to copy itself to removable media.7
  • USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.8

Mitigation

Disable Autorun if it is unnecessary.9 Disallow or restrict removable media at an organizational policy level if it is not required for business operations.10

Identify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting11 tools, like AppLocker,1213 or Software Restriction Policies14 where appropriate.15

Detection

Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

References