• United States



CSO Senior Writer

Cybercriminal group mails malicious USB dongles to targeted companies

News Analysis
Mar 27, 20207 mins

Shown as a proof-of-concept in 2014, this is the first known use of the BadUSB exploit in the wild.

Malicious USB dongle / memory stick / thumb drive with skull icon
Credit: M-A-U / Getty Images

Security researchers have come across an attack where an USB dongle designed to surreptitiously behave like a keyboard was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it’s a known sophisticated cybercriminal group who is likely behind it.

The attack was analyzed and disclosed by security researchers from Trustwave SpiderLabs, who learned about it from the business associate of one of their team members. Ziv Mador, vice president for security research Trustwave SpiderLabs, tells CSO that a US company in the hospitality sector received the USB sometime in mid-February.

The package contained an official-looking letter with Best Buy’s logo and other branding elements informing the recipient that they’ve received a $50 gift card for being a regular customer. “You can spend it on any product from the list of items presented on an USB stick,” the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.

The BadUSB

Researchers traced the USB dongle model to a Taiwanese website where it’s being sold for the equivalent of $7 under the name BadUSB Leonardo USB ATMEGA32U4. In 2014, at the Black Hat USA security conference, a team of researchers from Berlin-based Security Research Labs (SRLabs) demonstrated that the firmware of many USB dongles can be reprogrammed so that, when inserted in a computer, it reports that it’s actually a keyboard and starts sending commands that could be used to deploy malware. The researchers dubbed this attack BadUSB and it’s different then just putting malware on an USB stick and relying on the user to open it.

The Leonardo USB device that Trustwave received and analyzed has an Arduino ATMEGA32U4 microcontroller inside which was programmed to act as a virtual keyboard and execute an obfuscated PowerShell script via the command line. The script reaches out to a domain set up by the attackers and downloads a secondary PowerShell payload that then deploys a third JavaScript-based payload that is executed through Windows’ built-in script host engine.

This third JavaScript payload generates a unique identifier for the computer and registers it to a remote command-and-control server. It then receives additional obfuscated JavaScript code from the server which it executes. The goal of this fourth payload is to gather information about the system, such as the user’s privilege, the domain name, time zone, language, OS and hardware information, a list of running processes, whether Microsoft Office and Adobe Acrobat are installed and more.

After this intelligence gathering routine, the JavaScript backdoor enters a loop that periodically checks in with the server for see if there are new commands to execute.

“The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals in the wild,” the Trustwave researchers said in their report. “Since USB devices are ubiquitous, used and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it’s that one should never trust such a device.”

FIN7 connection

Mador tells CSO that his team didn’t know who the attackers were, but after seeing the information in Trustwave’s report, security researchers Costin Raiu from Kaspersky Lab and Michael Yip commented on Twitter that the malware used and infrastructure match that used by the FIN7 gang.

FIN7, also known as Carbanak, is a financially motivated cybercriminal group that has been targeting US-based companies from the retail, restaurant and hospitality sectors since around 2015. The group is known for using sophisticated techniques to move laterally inside networks and compromised systems with the goal of stealing payment card information. Researchers from security firm Morphisec estimated in the past that FIN7 members earn around $50 million a month from their activities.

The target in the BadUSB attack was a company from the US hospitality sector which is in line with FIN7’s previous targeting, but while the malware (GRIFFON) and infrastructure match FIN7, Raiu tells CSO that it’s the first time he’s seen the group use this physical USB dongle-based attack vector.

“We expect that this campaign dates back to at least December 2019, based on submissions we observed in VirusTotal,” Barry Vengerik, technical director of Technical Operations and Reverse Engineering (TORE) at FireEye, tells CSO. “FireEye Intelligence has been tracking FIN7 sending US-based organizations packages via USPS that contained USB devices configured to deliver malware. When the USB device is connected to a PC, it functions as a virtual keyboard, launching an instance of cmd.exe and executing a PowerShell command crafted to download a remotely hosted PowerShell script designed to launch an instance of the GRIFFON backdoor.”

The FBI also sent a private alert to companies on Thursday confirming that FIN7 is behind these physical USB-based attacks. The agency said it received reports of several packages that contained items including malicious USB devices that were sent to businesses from the retail, restaurant and hotel industries via USPS. The alert contains more technical details, pictures of the packages and USB devices, as well as recommendations to businesses on what information to report back to the FBI in case they’re targeted.

More BadUSB attacks on the way?

Attacks involving USB dongles reprogrammed to act as keyboards have not been used widely until now because they’re not very scalable. One such dongle that’s popular with penetration testers is the USB Rubber Ducky. It’s made by a company called Hak5 and costs $50, which is not a lot of money for a professional to spend, but adds up quickly if you’re an attacker and want to infect many victims, especially since the success rate won’t be 100 percent.

However, at $7 apiece (and probably less if bought in large quantities), malicious dongles like the BadUSB Leonardo device make real-word BadUSB attacks much more viable. Attackers don’t even have to put in much effort, like to create custom firmware to convert off-the-shelf non-malicious USB sticks into malicious ones. They just need to load their custom payload into a ready-made device and mail it.

Even so, attacks of this type are expected to target a relatively small number of carefully selected companies that attackers have already done some research on. According to Trustwave’s Mador, the choice of impersonating Best Buy might not have been an accident. Attackers can use online information to find a company’s contractors and suppliers.

Also, in this case, the rogue letter was sent to the business’s address, but with senior and other key employees now working from home due to the COVID-19 pandemic the risk is even higher.

At work such letters would probably be received by administrative staff, who might then take the device to the IT or security team if they’ve been trained properly, so several people might look at the device before it’s being used, Mador says. However, at home there is no security staff and even if the intended recipient received security awareness training at work, the device might be found and used by one of their family members before they have a chance to stop it.

If hackers compromise a device on the victim’s home network, they’ll eventually succeed to hack into their work computer as well, which will probably provide them with access to the company’s network or systems via a VPN connection. That’s why security professionals are concerned about the forced work-from-home situation that’s currently in effect.

“People know by now that they shouldn’t click on links or open attachments from unknown or untrusted sources,” Mador says. “But when it comes to USB dongles, many still don’t use the right judgement.”