惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Know Your Adversary
Know Your Adversary
云风的 BLOG
云风的 BLOG
Recent Announcements
Recent Announcements
F
Fortinet All Blogs
B
Blog
罗磊的独立博客
宝玉的分享
宝玉的分享
Vercel News
Vercel News
Martin Fowler
Martin Fowler
N
Netflix TechBlog - Medium
P
Proofpoint News Feed
T
Threatpost
Security Latest
Security Latest
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Stack Overflow Blog
Stack Overflow Blog
I
Intezer
P
Privacy International News Feed
D
Docker
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
M
MIT News - Artificial intelligence
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
Lohrmann on Cybersecurity
Google DeepMind News
Google DeepMind News
The Last Watchdog
The Last Watchdog
A
Arctic Wolf
IT之家
IT之家
S
SegmentFault 最新的问题
S
Securelist
博客园 - 叶小钗
N
News and Events Feed by Topic
F
Full Disclosure
Security Archives - TechRepublic
Security Archives - TechRepublic
Engineering at Meta
Engineering at Meta
Hacker News: Ask HN
Hacker News: Ask HN
博客园 - Franky
GbyAI
GbyAI
AI
AI
Y
Y Combinator Blog
WordPress大学
WordPress大学
Latest news
Latest news
Microsoft Security Blog
Microsoft Security Blog
人人都是产品经理
人人都是产品经理
N
News | PayPal Newsroom
The Cloudflare Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
I
InfoQ

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
USB worms: Still wriggling on to under-protected computers after all these years
Pieter Arntz · 2025-02-24 · via Threat Walkthroughs – ThreatDown by Malwarebytes
USB symbol header image

Malware doesn’t care if it’s being talked about or not.

When you think of malware, you probably don’t think of old school USB worms, but our Managed Detection and Response (MDR) experts actually noticed an increase in USB worms in 2024. In this article we present an example of a USB worm from the Jenxcus family they recently ran into.

USB worms spread through infected USB drives. When an unsuspecting user plugs an infected drive into their computer, a dropper initiates a payload and infects the system. In turn, the infected system will then infect every USB device that’s plugged into it.

full VBE code

Some of the commands are clearly gathering system information, such as the computer’s hostname and the current username.

IWshShell3.ExpandEnvironmentStrings("%computername%");
IWshShell3.ExpandEnvironmentStrings("%username%");

Other commands query system information using Windows Management Instrumentation (WMI).

ISWbemServicesEx.ExecQuery("select * from win32_logicaldisk");
ISWbemServicesEx.ExecQuery("select * from win32_operatingsystem");

The script also adds two startup entries to the registry for persistence.

IWshShell3.RegWrite("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\Microsoft", "wscript.exe //B \"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe\"", "REG_SZ");
IWshShell3.RegWrite("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\Microso", "wscript.exe //B \"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe\"", "REG_SZ");

It also creates a fake Microsoft shortcut on the F: drive—which is usually a removable drive—which runs Microsoft.vbe to trick users.

IWshShell3.CreateShortcut("F:\System Volume Information.lnk");
IWshShortcut.TargetPath("cmd.exe");
IWshShortcut.Arguments("/c start Microsoft.vbe&start explorer System Volume Information&exit");

It queries the active antivirus protection:

ISWbemServicesEx.ExecQuery("select * from antivirusproduct", "wql", "0");

And it displays the typical USB Worm behavior by copying itself to the F: drive, where it will patiently wait for the next person to plug the flash drive into a Windows system.

IFileSystem3.CopyFile("C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe", "F:\\Microsoft.vbe", "true");

The script also references a URL at update32.hopto.org:82/is-ready/ for command and control, which has been active since 2015. Because of the /is-ready/ part of the URL, we suspect that this worm is a WSH Remote Access Trojan (RAT) in the Jenxcus family.

The WSH RAT (Windows Script Host Remote Access Trojan) has been around since at least 2013. Among other things, it is capable of stealing system information and stealing passwords from web browsers and email clients. It is also capable of disabling anti-malware solutions and Windows’ UAC (User Account Control).

Maybe the deprecation of VBScript in 2027 will finally put an end to these Worms. Until then, ThreatDown’s Application Block can stop unwanted scripting engines, and its Device Control can prevent unauthorized devices from accessing sensitive data and ensure that only approved devices can interact with your network.