Have we talked Brutal Kangaroo?

A Brutal Kangaroo infection requires multiple steps. First, an Internet-connected computer in the targeted organization must be infected. Brutal Kangaroo utilizes four components to infect isolated computers and execute arbitrary code:

Drifting Deadline is the thumbdrive infection tool. Advanced configurations provide flexibility and allow tailor-made solutions for cyber operations.

Shattered Assurance is a server tool that is deployed to the Internet-connected computer and handles automated infection of thumbdrives remotely.

Shadow is a stage two tool that is distributed across a closed network and acts as a covert command-and-control network and the primary persistence mechanism. Once multiple Shadow instances are installed and share USB drives, tasking and payloads can be sent back and forth.

Broken Promise is the postprocessor in the back end and used to decrypt the collected data.

The primary execution vector used by the infected thumbdrives is a vulnerability in Windows that can be exploited by hand-crafted link files that load and execute programs without user interaction other than viewing them in Internet Explorer. Older versions of the tool suite used a mechanism called EZCheese, but a newer version called Lachesis/RiverJack seems to use a different link file vulnerability related to Windows' library-ms functionality.

https://www.cybereason.com/blog/blog-brutal-kangaroo-shows-even-air-gapped-networks-are-vulnerable-to-attackers