Bengaluru, Karnataka, INDIA 560042
+91-9784367546, +91-8839669785

Replication Through Removable Media(T1091)

A Real World Adversary Labs

Replication Through Removable Media(T1091)



The above mentioned title” REPLICATION BY REMOVABLE MEDIA “ means spreading of a malevolent program through some removable devices like USB device, floppy, CD, External hard drives and etc. by copying or reproducing itself.

  With the evolution in the field like IT industry, many advanced technologies and services came into existence. All these are making our lives easier day by day. The amalgamation of these two i.e. technology and services with the help of the internet have become a part of our lives, to a great extent. As everything in this nature has some pros and cons, these technologies have some cons too. Through these services, we are providing more area (let’s say surface) for the intruders to attack the high tech companies and the organisations. By which they gain the initial access (i.e. the first foothold in attacking scenario) to the organisations and exploit their services causing havoc in our lives.

These removable devices play a crucial role in the initial access phase as mentioned in the MITRE ATT&CK Framework(T1091).


MITRE is a non-profit organisation dedicated to solve problems in a view to have a safer world. It has brought all the communities having a common goal to develope more effective CYBERSECURITY for every nation. This was established in the year 1958, as a systems Engineering Company. Now, it has released the MITRE ATT&CK( list as a globally accessible knowledge base of adversary techniques(which provide a description of the tools and methodology use) and tactics(types of strategies involved in well planned attack), based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use.

How removable devices came into existence??

Earlier, when man-kind started using the computers for doing small tasks on their systems like simple calculations, and other automation tasks so that this prevents them from doing the boring tedious tasks. But as the time passed we started expecting our systems to store all our data, personal documents High-definition images and videos. Eventually, the amount of data used by a person on an average increased from a few megabytes to some Terabytes. To handle this large amount of data Removable disks came into existence.

A removable device helps us to store and transport data in the most convenient way possible between computers.

To name few, we have:

  • Floppy
  • CD/DVD
  • USB flash drives
  •   Memory cards·   External Hard Drives

And many more…

But, the most important thing which is to be considered is The technology associated with these removable devices can pose a great threat which cannot be ignored i.e. the AutoRun feature.

What is AutoRun feature??

This is the most common default feature in the windows operating system. It has a companion feature called AutoPlay which is one of the components of the Microsoft Windows Operating System. Based on the content present in the device like images, audio or video a it will launch an appropriate application to play or display the content. It was introduced in Windows 95, to ease the application installation for the non-technical users i.e. provide automation for software installations and multimedia applications and reduce the cost of software support calls. A file named autorun.inf is responsible for this auto magic when a removable device is mounted. Windows explorer will read the content present in this file (autorun.inf) and will automatically initiate any instructions it finds.

This feature is used by Cyberpunk to infect the system with some malware.

There are few things, which can be done to control this infection like:

  • Disable the AutoRun
  • Implement restrictive removable media policy
  • Check the removable media on a secured system prior to its use
  • Instruct the users with the basics of this AutoRun feature


Attack Scenario

Real time examples:

Below is a list of notable real-world examples of this attack technique.


Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries like Iran, Lebanon, Syria, Sudan . Flame’s technical complexity and its usage is linked with the prior targeted malwares Stuxnet and Duqu. This malware is capable of infecting myriad number of computers to gather sensitive information like:

  • Able capture environment sounds via the system’s microphone
  • Able to capture screenshots when specific processes or windows are active
  • Able to forward saved information to a remote server


DarkHotel is a cyber attack group that engages in highly targeted malicious attacks. They seek to compromise and steal data from valuable targets like C-level business executives and other high-level figures. DarkHotel APT remains a major risk for governments, enterprises, and other institutions.  They track traveler’s plans and attack them via hotel Wi-Fi. Since their initial rising, they have scaled beyond business targets to attack politicians and more. DarkHotel has been known to compromise luxury hotel networks, then stage attacks from those networks on selected high-profile victims. They use :

  • DDoS attacks or
  •  installing more sophisticated espionage tools on the computers of particularly interesting victims.

Type of individuals targeted are:

  • Defense Industrial Bases (DIB)
  • Governments and Non-government organizations (NGOs)
  • Large electronics and peripherals manufacturers
  • Pharmaceutical companies, medical providers


It was a malicious computer worm that traveled through the USB sticks and spread across the Microsoft Windows  exploits multiple previously unknown Windows zero-day vulnerabilities to infect computers and spread. Its purpose was not just to infect PCs but to cause real-world physical effects. Specifically, it targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors. Despite its extensive spread and widespread infectious rate it does little or no harm to the computers not involved in the uranium enrichment.

  • This worm was developed by the intelligence agencies of the United states and Israel and called it as “operation Olympic games”. The main reason behind the development of this dangerous malware was, these two governments U.S and Israel wanted to derail or delay Iran’s program of developing the nuclear weapons.
  • This nuclear power plant was far away from internet connections, so the only way to affect their systems with the malware was to use an infected USB delivered by the intelligence agents or unwilling dupes. 

But later, due to some modifications in the code by the Israelis it spread like a wildfire all over the world infecting some millions of systems, did a little damage to the outside systems it infected.

Rubber Ducky:

Did u ever came across the following advice:

If you ever find a USB device (thumb drive or flash drive) don’t plug it in without prior security measures.

Yeah, this advice started popping up everywhere, because of cyber-physical attack which gained popularity in the year 2010 with the invention of the USB called “RUBBER DUCKY”


Rubber Ducky

We are not talking about this rubber ducky.

 But this one,


USB Rubber Ducky

This USB uses a keystroke injection technology, which runs a code automatically into the host computer into which it is plugged in. It registers itself as any unsuspecting device like a USB keyboard  and launches a keystroke payload into the computers. This payload helps to steal passwords,

  • Drop malware, 
  • Install “back doors” into systems,
  • Ex-filtrate data, and more.

The language used in this tool is called Ducky script. Which is simple and written in ALL CAPS format.


Detection is possible for this attack technique. We can follow the below mentioned measures to identify the presence of this type of technique:

  • Monitor file access on removable media.
  • Detect processes that execute from removable media after it is mounted or when initiated by a user.
  • If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, monitor for the following:

  1. network connections for  Command and Control system and 
  2. network information Discovery.


  1. Always use Trusted VPN. 
  2.  Learn and understand the red flags of spear phishing attacks.
  3. Verify the authenticity of the email via official phone numbers or in-person contact when possible.
  4. Maintain and update all system software
  5. Always verify executable files and treat files shared over P2P networks with caution and suspicion.


Replication through removable media is a traditional attack technique that has been around for decades. An adversary can not only copy some malware and other malicious files, executable on to the systems manually, but he can also make these executable replicate themselves on the target machines, causing the malware to spread like a wild fire.

But our information security researchers do provide some mitigation and detection techniques, following these may reduce the impact of this this age-old menace.

Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *