Comment by gruez

5 days ago

Seems light on details. How is it executing the payload? Is it doing something like badusb where it emulates a keyboard to run the payload? Wouldn't that be super obvious? Or is it something as simple as telling the user to install a "driver"?

12 comments

gruez

geor9e 5 days ago

The dongle enumerates as a USB hub with two USB devices plugged into it. One is an ethernet dongle, which is the sort of hardware that may require a driver. The second device is a USB flash drive containing a .exe, which extracts a file called Setup.exe. It won't execute unless the user manually executes it - it's just a USB drive after all. Maybe the .exe contains malware, maybe it doesn't. Maybe antivirus scans give false positives. Maybe the manufacturer found a clever way to save money by combining the two USB devices they normally shipped together. Maybe this twitter account just made a nice paycheck from clickbait engagement.

karotte 4 days ago

Believe it or not, but 'enumerating as a CD-ROM' drive is actually a documented feature of some Realtek USB Ethernet Interfaces: https://www.lcsc.com/datasheet/lcsc_datasheet_2206141400_Rea... (6.16. Driver Auto-Install Mode, page 24).

johann8384 5 days ago

From the replies it sounds like it mounted as a storage device and ran autorun. It was super obvious which is what caused them to take notice.

geor9e 5 days ago
Autorun has been disabled since the release of Windows 7 in 2009.
- unsnap_biceps 5 days ago
  
  For what it's worth, I just checked on my windows 11 install and it was (somewhat) enabled.
  Settings -> Bluetooth & Devices -> AutoPlay -> Use AutoPlay for all media and devices
  Was set to on, and "Removable drive" was set to "Choose a default", which appears to be equivalent to "Ask me every time".
  I don't have anything (that I'm aware of) that auto-runs something, but I presume it will prompt me asking if I want to run setup.exe, which seems somewhat reasonable for new hardware.
  And from the malware analysis, https://www.hybrid-analysis.com/sample/e3f57d5ebc882a0a0ca96... , it's signed by "Owner: CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" which also looks pretty legit.
  I can totally see a lot of folks allowing it to run.
  
  4 replies →
- hulitu 5 days ago
  
  > Autorun has been disabled since the release of Windows 7 in 2009.
  No. Microsoft just said it will disable it. On some systems, i've seen it disabled (i don't know if by default or by AD policy) but, on the majority of Windows 10, it was not disabled.
  
  1 reply →
olyjohn 5 days ago

Please tell me Windows doesn't STILL autorun off of external drives? I thought that was solved years ago...