In a recent report, researchers at Kaspersky Labs wrote about the use of a USB spreader by Crimson RAT as a mechanism to maintain persistence within an environment. The spreader works in three separate modes: A downloader, infector, and stealer.
When a host is already infected with Crimson RAT and the conditions are met to download another client, a USB device is selected and will hide the contents of the drive in hidden folders and leave an executable disguised as a folder on the drive. If a user attempts to open the folder while the USB device is plugged in to a different machine, it executes the RAT and the process begins again calling back to the C2 and repeats the infection process. Lastly, if there are any files of interest on the drive, those files can be sent back out to the C2 for delivery.