What protocol would you have recommended?

Using any kind of storage media to transfer data to a Windows machine is by default a disaster waiting to happen.

Windows natively provides the ability for executables to embed icons (known as resources) for the file manager to render them as. This, combined with the default of hiding file extensions for known types (e.g. .exe), is a recipe for a user eventually executing the malware instead of opening the file or directory they wanted.

This malware exploits that very fact by naming itself after the most-recently modified directory on the drive and embedding an icon that ensures that the file manager will render it as a directory.

If you ensured by policy that file extensions were never hidden, that resources were not rendered (every exe got the default icon [1]), and that every user received regular training to properly distinguish files from each other (and files from directories), this risk could be somewhat managed. Good luck; I don't even know if you can disable resource rendering.

[1] https://i.sstatic.net/vY5dQ.png

USB can be OK however you need like a staging machine and scan the files before entry plus use of a write block device on the USB hard drive. These are commonly used in forensics.

https://www.nist.gov/itl/ssd/software-quality-group/computer...

This also tends to be a supply chain and insider threat.

Scan them with what exactly? If you're hinting at AVs — I honestly doubt they could be useful against novel state-sponsored malware.

It would have caught it once Kapersky reported it and they are keeping their AV definitions up to date.

Write block prevents transfer back to the USB which is the exfiltration mechanism.

How about Qubes OS with minimal templates? https://www.qubes-os.org/doc/templates/minimal/

See also: https://www.qubes-os.org/faq/#how-does-qubes-os-compare-to-u...

Based on other comments here, typically the USB key is destroyed after the data was copied into the network. No data is allowed to exit the airgapped network.

Read-only media or destroying the media after use is a reasonable mechanism to protect against data exfiltration.

I'm not sure how you protect against infiltration though. A computer system that cannot get data in is pretty useless methinks.

I don't know, but maybe DO NOT USING systems with ShowSuperHidden features would help ?

Such thing just MUST BE a helper for creating malwares, what else it could be ? Definitely for circumventing human users.

Good job Microsoft ! Autoexec.bat is proud of you ! /s

I woudn't use Windows at all. USB media? Authentificated and encrypted, with some system like NNCP and a little multiplaform Go based GUI (or heck, TCL/Tk) on top.

Not just that. You can blame USB but the question is still how the malware got to run on the target system. Did the user double click on the malware? Did it try to exploit Explorer trying to preview a file? Did it modify the USB stick's firmware such that it sends commands to the computer that exploit the Windows USB storage driver? Something else?

So the interesting TLDR, to me, is this:

> [The malware on the infected computer] finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, [...]. We also believe that the component uses a folder icon, to entice the user to [click on] it when the USB drive is inserted in an air-gapped system

So the attack vector is "using a transfer medium where data can be replaced with code and the usual procedure [in this case: opening the usual folder] will cause the code to run"