Hackers from the FIN7 cybercrime group have targeted various businesses with malicious USB devices that act as keyboards when connected to a computer. The injected commands download and execute a backdoor JavaScript related to this hacker.

In a warning on Thursday, the FBI warns security professionals and security professionals about this tactic adopted by FIN7 to deliver GRIFFON malware.

The attack is a variant of the “lost USB” ruse that penetration testers have used for several years in their evaluations quite successfully and one incident has been analyzed by Trustwave researchers.

A cybersecurity customer received a package, allegedly from Best Buy, containing a $ 50 gift card. In the envelope, there was a USB drive that claimed to contain a list of products that were eligible for purchase using the gift card.

However, this is not a one-off incident.

The FBI warns that FIN7 has sent these packages to many businesses (retailers, restaurants, hotels) that target employees in human resources, IT or management departments.

“Recently, a group of computers FIN7,1, known for targeting such businesses through email” phishing “( phishing ), used a special tactic to send USB devices via the postal service of the United States (USPS). Packages sometimes include items such as teddy bears or gift cards to employees of targeted companies working in the departments of Human Resources, Information Technology ( IT ) or Executive Management (EM), ”the FBI warning states.

The FBI says the malicious drive is configured to simulate keystrokes that launch a PowerShell command in order to recover malware from intruder-controlled servers. The USB device then communicates with a domain or IP address in Russia.

The days when USB flash drives were just for storage are long gone. Several development boards (Teensy, Arduino) are now available for programming to mimic a human interface (HID) device such as keyboards and mice and launch a predefined set of keys to drop malicious payloads. These are called HID or USB drive-by attacks that are easy to perform and do not cost much.

Trustwave analyzed this malicious USB activity and found two PowerShell commands that resulted in a fake thumb drive error and ultimately a third-stage JavaScript run that could collect system information and download other malware.

To better summarize the attack flow, the researchers created the following image, which clarifies the stages of compromise that led to the development of malware by the intruder choice.

The FBI notice informs that after the identification phase the hacker begins to move sideways seeking the admin privileges.

FIN7 uses multiple tools to achieve their goal. The list includes Metasploit, Cobalt Strike, PowerShell scripts, Carbanak malware, Griffon backdoor, malicious dropper Boostwrite and remote access RdfSniffer module.

BadUSB attacks, proven by security researcher Karsten Nohl in 2014, are more common in penetration testing and there are many alternatives these days. The most flexible is priced at $ 100.

FIN7 went with a simple and inexpensive version, however, which costs between $ 5- $ 14, depending on the supplier and the country of dispatch. The FBI notes in its warning that the microcontroller is an ATMEGA24U, while the one watching Trustwave had an ATMEGA32U4.

However, both variants were printed on the “HW-374” circuit board and recognized as an Arduino Leonardo, which is specifically programmed to function as a keyboard/mouse. Custom mouse keystrokes and gestures can be customized using the Arduino IDE.

Connecting unknown USB devices to a workstation is a well-known security risk, but it is still ignored by many users.

Organizations can take precautions against malicious USB drives, allowing access only to devices controlled by their hardware ID and denying access to all others.


Leave a Reply