> It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm. We also believe that the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system, which again is done by JackalWorm.
Does the malware EXE that now looks like a Folder icon with same name as the last modified actual folder (which is now hidden) ... also redirect the user to the actual folder and its contents in file Explorer after successfully delivering its malicious payload?
THAT would probably ensure the user does not suspect anything nefarious has happened, even after the fact.
Now how Windows Defender and other heuristics based firewalls would not treat the malicious EXE with folder icon as a threat and quarantine it immediately -- I dont know.
>how Windows Defender and other heuristics based firewalls would not treat the malicious EXE with folder icon as a threat and quarantine it immediately -- I dont know.
The "malicious" exe, as I understood it, just boots up Python to run a script, where the actual malice lies. Windows Defender has to treat an executable that does only this as benign - because Python's packaging tools provide such executables (so that Windows users can get applications - including (upgrades to) Pip itself - from PyPI that "just work" in a world without shebangs and +x bits). For that matter, standard tools like Setuptools could well have been used as part of crafting the malware suite.
Presumably they could notice that an .exe has the normal folder icon. But presumably that icon could also be slightly modified in ways that would defeat heuristic recognition but still appear like a folder icon to a not-especially-attentive human.
>Does the malware EXE that now looks like a Folder icon with same name as the last modified actual folder (which is now hidden) ... also redirect the user to the actual folder and its contents in file Explorer after successfully delivering its malicious payload?
I didn't see anything about that in the description of the attack. But I assume that the Python script could accomplish this by just making an appropriate `subprocess.run` call to `explorer.exe`.
And also, which person setting up an air gapped system allows execution from a removable media? You'd think with that level of paranoia you'd have a couple more rules in place.
> It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm. We also believe that the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system, which again is done by JackalWorm.
[1] https://www.welivesecurity.com/en/eset-research/mind-air-gap...