Description
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)
Limit Hardware InstallationM1034
Limit the use of USB devices and removable media within a network.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. (Citation: win10_asr)
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on ... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used malicious DLLs to spread malware to connected removable USB drives on infected machines... |
| G1007 | Aoqin Dragon | [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has used a dropper that employs a worm infection strategy using a removable device to breach a s... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012)'s selective infector modifies executables stored on removable media as a method of spreading across... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used a customized [PlugX](https://attack.mitre.org/software/S0013) variant which could spre... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) actors have mailed USB drives to potential victims containing malware that downloads and installs variou... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infect... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has attempted to transfer [USBferry](https://attack.mitre.org/software/S0452) from an infected... |
Associated Software (20)
| ID | Name | Type | Context |
|---|---|---|---|
| S0143 | Flame | Malware | [Flame](https://attack.mitre.org/software/S0143) contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plug... |
| S0028 | SHIPSHAPE | Malware | [APT30](https://attack.mitre.org/groups/G0013) may have used the [SHIPSHAPE](https://attack.mitre.org/software/S0028) malware to move onto air-gapped ... |
| S1230 | HIUPAN | Malware | [HIUPAN](https://attack.mitre.org/software/S1230) has periodically checked for removable and hot-plugged drives connected to the infected machine, sho... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has copied itself to infected removable drives for propagation to other victim devices.(Citation: DOJ... |
| S0130 | Unknown Logger | Malware | [Unknown Logger](https://attack.mitre.org/software/S0130) is capable of spreading to USB devices.(Citation: Forcepoint Monsoon) |
| S0062 | DustySky | Malware | [DustySky](https://attack.mitre.org/software/S0062) searches for removable media and duplicates itself onto it.(Citation: DustySky) |
| S0132 | H1N1 | Malware | [H1N1](https://attack.mitre.org/software/S0132) has functionality to copy itself to removable media.(Citation: Cisco H1N1 Part 2) |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) has historically used infected USB media to spread to new victims.(Citation: TrendMicro Ras... |
| S0092 | Agent.btz | Malware | [Agent.btz](https://attack.mitre.org/software/S0092) drops itself onto removable media devices and creates an autorun.inf file with an instruction to ... |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) can be configured to spread via removable drives.(Citation: Fidelis njRAT June 2013)(Citation: Trend ... |
| S0452 | USBferry | Malware | [USBferry](https://attack.mitre.org/software/S0452) can copy its installer to attached USB storage devices.(Citation: TrendMicro Tropic Trooper May 20... |
| S0023 | CHOPSTICK | Malware | Part of [APT28](https://attack.mitre.org/groups/G0007)'s operation involved using [CHOPSTICK](https://attack.mitre.org/software/S0023) modules to copy... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) can spread across systems by infecting removable media.(Citation: Kaspersky Transparent Tribe Augus... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can spread itself by infecting other portable executable files on removable drives.(Citation: Eset R... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has the ability to use removable drives to spread through compromised networks.(Citation: Trend Micr... |
| S1074 | ANDROMEDA | Malware | [ANDROMEDA](https://attack.mitre.org/software/S1074) has been spread via infected USB keys.(Citation: Mandiant Suspected Turla Campaign February 2023) |
| S0136 | USBStealer | Malware | [USBStealer](https://attack.mitre.org/software/S0136) drops itself onto removable media and relies on Autorun to execute the malicious file when a use... |
| S0608 | Conficker | Malware | [Conficker](https://attack.mitre.org/software/S0608) variants used the Windows AUTORUN feature to spread through USB propagation.(Citation: SANS Confi... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has copied itself to and infected removable drives for propagation.(Citation: TrendMicro Ursnif Mar ... |
References
- Lucian Constantin. (2014, January 23). Windows malware tries to infect Android devices connected to PCs. Retrieved May 25, 2022.
- Zack Whittaker. (2019, August 12). This hacker’s iPhone charging cable can hijack your computer. Retrieved May 25, 2022.
- Zhaohui Wang & Angelos Stavrou. (n.d.). Exploiting Smart-Phone USB Connectivity For Fun And Profit. Retrieved May 25, 2022.
Frequently Asked Questions
What is T1091 (Replication Through Removable Media)?
T1091 is a MITRE ATT&CK technique named 'Replication Through Removable Media'. It belongs to the Lateral Movement, Initial Access tactic(s). Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into...
How can T1091 be detected?
Detection of T1091 (Replication Through Removable Media) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1091?
There are 3 documented mitigations for T1091. Key mitigations include: Disable or Remove Feature or Program, Limit Hardware Installation, Behavior Prevention on Endpoint.
Which threat groups use T1091?
Known threat groups using T1091 include: Gamaredon Group, LuminousMoth, Aoqin Dragon, Darkhotel, Mustang Panda, FIN7, APT28, Tropic Trooper.