In this post, I am going to go over a real world example of how attackers achieve replication through removable media. This will take a few steps when dealing with the latest Windows 10 operating system, like bypassing AMSI and Windows Defender to infect the Autorun functionality of a removable media drive. The end goal is to have infected a piece of removable media in hopes of reaching the target device.
The MITRE ATT&CK Framework describes the attack as follows:
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.
To show how attackers achieve replication through removable media, I will create a scenario in which an attacker will create some malware to bypass security and create a malicious Autorun.inf on the removable media on the target machine.
The attacker has been tasked to compromise an air-gapped machine within the financial department of the target network.
The OSINT (Open-Source Intelligence) team has been able to pull sensitive documents on some of the employees from the financial department of the target company, and found out these employees each have a USB stick they use to transfer files to the air-gapped machine (target). The team was also able to track down a few employees to their home addresses, in which the attacker(s) have started targeting the home wireless networks.
(Making video now)