1. Home
  2. Techniques
  3. Enterprise
  4. 通过可移动媒体复制

通过可移动媒体复制

ID Name
T1091.001 隐蔽式固件植入
T1091.002 合法文件镜像克隆
T1091.003 无线充电设备劫持
T1091.004 多阶段延迟激活

通过可移动媒体复制是指攻击者利用USB设备、移动存储介质或仿冒外设,通过自动运行功能或用户诱导执行恶意代码的初始访问或横向移动技术。传统防御手段主要通过监控可移动媒体的文件访问行为、检测异常进程创建以及分析设备连接后的网络活动来识别威胁。例如,限制自动运行功能、实施设备白名单策略以及扫描可移动媒体中的可疑文件。

为规避传统检测机制,攻击者发展出硬件级植入、协议层伪装及行为时空调控等新型匿迹技术。这些技术突破文件系统层对抗的传统范式,通过深度利用硬件固件漏洞、仿冒合法设备协议以及动态调整攻击节奏,将恶意活动融入设备正常使用场景,显著降低可检测性。

现有匿迹技术的核心演进路径表现为攻击载体的多维融合与执行机制的时空解耦。隐蔽式固件植入通过控制设备底层硬件,实现恶意代码在操作系统监管范围外的持久化驻留;合法文件镜像克隆利用数字身份仿冒技术,构建表面完全合规但实际具备双重功能的恶意载体;无线充电设备劫持突破物理接口限制,将攻击面扩展至电磁信号交互层;多阶段延迟激活则通过时空维度分散攻击特征,使单点检测难以形成有效威胁画像。四类技术的共性在于:深度整合硬件特性与软件漏洞、精确模拟合法设备行为模式、动态适应目标环境防御态势,从而在设备连接、文件交互、代码执行等各环节实现"无特征化"攻击。

匿迹技术的发展迫使防御体系向硬件固件安全、行为链分析及跨设备威胁感知方向演进,需构建涵盖供应链安全验证、电磁信号监控、内存行为分析的多层次防护架构,并强化设备全生命周期内的异常行为基线建模能力。

ID: T1091
Sub-techniques:  T1091.001, T1091.002, T1091.003, T1091.004
Tactics: 横向渗透, 初始入侵
Platforms: Windows
System Requirements: Removable media allowed, Autorun enabled or vulnerability present that allows for code execution
Contributors: Joas Antonio dos Santos, @C0d3Cr4zy
Version: 1.2
Created: 31 May 2017
Last Modified: 17 October 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确仿冒合法文件数字签名、设备硬件标识符及通信协议特征,使得恶意载体在文件属性、设备类型及交互协议等维度与正常对象无法区分。例如,合法文件镜像克隆技术生成具有真实数字签名的恶意程序,无线充电劫持设备完全符合Qi协议认证标准。

行为透明

利用零日漏洞(如未公开的固件漏洞或协议缺陷)实现攻击链关键环节的不可见性。例如,隐蔽式固件植入通过未披露的存储控制器漏洞绕过固件签名验证,使得恶意代码加载过程对操作系统透明。

时空释痕

通过多阶段激活机制将攻击链拆解为长时间跨度的离散事件,并利用全球分布的恶意媒体设备制造广域攻击痕迹。例如,延迟激活技术可使同一批受感染设备在不同地理区域、不同时间窗口触发攻击行为,稀释威胁特征浓度。

Procedure Examples

ID Name Description
S0092 Agent.btz

Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.[1]
S1074 ANDROMEDA

ANDROMEDA has been spread via infected USB keys.[2]
G1007 Aoqin Dragon

Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.[3]
G0007 APT28

APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.[4]
S0023 CHOPSTICK

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[5][4][6]
S0608 Conficker

Conficker variants used the Windows AUTORUN feature to spread through USB propagation.[7][8]
S0115 Crimson

Crimson can spread across systems by infecting removable media.[9]
G0012 Darkhotel

Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[10]
S0062 DustySky

DustySky searches for removable media and duplicates itself onto it.[11]
G0046 FIN7

FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.[12]
S0143 Flame

Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.[13]
S0132 H1N1

H1N1 has functionality to copy itself to removable media.[14]
G1014 LuminousMoth

LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.[15][16]
G0129 Mustang Panda

Mustang Panda has used a customized PlugX variant which could spread through USB connections.[17]
S0385 njRAT

njRAT can be configured to spread via removable drives.[18][19]
S0650 QakBot

QakBot has the ability to use removable drives to spread through compromised networks.[20]
S0458 Ramsay

Ramsay can spread itself by infecting other portable executable files on removable drives.[21]

S1130 Raspberry Robin

Raspberry Robin has historically used infected USB media to spread to new victims.[22][23]
S0028 SHIPSHAPE

APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.[24]
S0603 Stuxnet

Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.[25]
G0081 Tropic Trooper

Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine.[26]
S0130 Unknown Logger

Unknown Logger is capable of spreading to USB devices.[27]
S0386 Ursnif

Ursnif has copied itself to and infected removable drives for propagation.[28][29]
S0452 USBferry

USBferry can copy its installer to attached USB storage devices.[26]
S0136 USBStealer

USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.[30]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. [31]
M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [32] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [33]
M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

ID Data Source Data Component Detects
DS0016 Drive Drive Creation

Monitor for newly constructed drive letters or mount points to removable media
DS0022 File File Access

Monitor for unexpected files accessed on removable media.
File Creation

Monitor for newly constructed files on removable media
DS0009 Process Process Creation

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

References

  1. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  2. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  3. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  4. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  5. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  6. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  7. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  8. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  9. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  10. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  11. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  12. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  13. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  14. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  15. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  16. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  17. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  1. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  4. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  5. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  6. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  7. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  8. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  9. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  10. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  11. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  12. Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.
  13. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  14. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  15. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
  16. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.