MITRE ATT&CK T1091: Replication Through Removable Media

Hello! I’m Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber.

In this month’s Threat Digest, we’re going to continue exploring the MITRE ATT&CK Initial Access tactic. This month, we’re looking at specifically T1091, also known as Replication Through Removable Media:

• What is it?
• How is it used?
• What are real-world threat actors doing to take advantage of this technique?

To recap, the MITRE Adversary Tactics, Techniques, and Common Knowledge (also known as ATT&CK) framework is an alternative to Lockheed Martin’s Cyber Kill-chain framework. It’s designed around detecting tradecraft – the ways you can spot an attacker’s behavior during an incident.

There are 14 categories overall, but today we’re continuing our focus on Initial Access.

Initial Access is, put simply, an attacker trying to get into your network. While there are 10 techniques that further make up the Initial Access category, today we are discussing T1091: a technique known as Replication Through Removable Media. This technique is all about an attacker using removable media (like a USB drive) to install malware.

Our example today looks at a [Blackpoint partner] incident where an employee inserted a rogue USB drive into a system.

Unfortunately, the USB drive was infected with the Raspberry Robin malware. Raspberry Robin is an extremely popular loader malware with worm capabilities. Loader malware is malicious software that is used to facilitate the loading of additional malware to expedite the threat actor’s activities.

The malware’s worm capabilities give it the ability to spread laterally through the network before deploying the additional malware, ensuring that the attacker can deploy in the most effective place.

Defending against attacks like this involve several different actions – awareness training, segmentation, and restriction.

1. Conduct employee security awareness training to ensure employees are aware of the risks of rogue removable memory devices. While in this case we don’t have the context for why the employee inserted the rogue USB drive, additional awareness training about the risks of malicious USB drives could have prompted the employee to think twice about plugging in unofficial devices.
2. Segment critical systems so they are isolated from less secure areas while preventing unauthorized communication between segments. By separating your organization’s environment to specific groups of endpoints, applications, and users, threat actors using malware such as Raspberry Robin will find themselves unable to spread laterally to more desirable areas of an environment – and with fewer ways to persist within the infected environment once discovered.
3. Employ access controls that restrict end users’ removable memory access, to reduce the opportunity for malicious USB drives or other media to execute their payloads.

If this environment had controls in place that prevented the reading of removable memory devices like USB drives, then the Raspberry Robin malware could never have deployed at all!

Adversaries are always looking for advantages over defenders. Fortunately, by using behavior-based detection built around tactics like Initial Access rather than relying on indicators of compromise, there are more opportunities to detect and stop attackers.

Until next month, be safe and do good work.

Nick Hyatt, Director of Threat Intelligence

Nick Hyatt has extensive expertise in technology, support, and information security, with experience spanning small businesses to Fortune 500 companies across various industries. He has a deep understanding and practical experience in incident response, threat intelligence, digital forensics, and malware analysis. His hands-on skills encompass malware forensics, data mapping, threat hunting, and e-discovery in diverse environments.

Connect with Nick on LinkedIn.