Know Your Adversary

Hello everyone! It may be not very common, but some adversaries still use infected USB devices for malware distribution, so today we'll look at an example of  Replication Through Removable Media (T1091) . The example is Tangerine Turkey . The adversary leverages infected USB devices to distribute cryptocurrency-mining malware. So, the infection starts from executing a malicious VBScript from a USB drive: C:\WINDOWS\System32\WScript.exe E:\rootdir\x817994.vbs It means we can hunt for suspicious scripts executed from external drives, for example, D:\, E:\ and F:\.  Let's build the query: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("d\\\:" OR "e\\\:" OR "f\\\:") See you tomorrow!

Hello everyone! IBM uncovered another malware family they called SnakeDisk , which belongs to notorious Mustang Panda (or Horned Werewolf as we track it). It leverages a very interesting technique - Replication Through Removable Media (T1091) . The malware is a USB worm, so its behaviors include moving files and executables located on external drives: robocopy <drive_letter>:\ <drive_letter>:\<urd>\<uud>\ /XD "<drive_letter>:\<urd>\" /XF "<drive_letter>:\<unendl_org>" /XF "<drive_letter>:\<usb_volumename>.exe" /XD "System Volume Information" /E  /MOVE Let's hunt for running robocopy for moving files (/MOVE option) with some files and directories excluded (/XD and /XF options): event_type: "processcreatewin" AND proc_file_path: "robocopy.exe" AND cmdline: ("xd" AND "xf" AND "move") See you tomorrow!