Newly Discovered ‘Rubber Ducky’ Attacks Use Free Gift Cards to Trick Users Into Using Malicious USB Sticks

  • These malicious USB sticks come preloaded with keystrokes.
  • In one incident, the stick was delivered with a letter that appeared to be from the ‘Best Buy’.

Malicious attacks using USB flash drives dropped in offices or public places are not uncommon. But researchers at Trustwave Spiderlabs have investigated a new attack that comes disguised using gift cards.

What does the report say?
According to researchers, these malicious USB sticks come preloaded with an emulated USB keyboard to inject keystrokes. In one such incident, the attack came in the form of a letter that appeared to be from the retail chain ‘Best Buy’. It offered a free $50 gift card to its loyal customers. To make it more convincing, the letter included a USB drive that claimed to contain a list of items to spend on.

What’s the catch?
The USB drive that comes with the letter is a trick to entice users to collect an item (s) for a given free gift card. However, this is where the things become sneaky. The USB device actually contains an Arduino microcontroller ATMEGA32U4 programmed to emulate a USB keyboard. Since USB keyboards are trusted devices on most systems, malicious commands can be easily injected on victims’ computers without any hassle. 

Trustwave researchers inspected a malicious drive with serial number ‘HW-374’. “A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale on ‘shopee.tw’,” explained researchers.

The USB thumb drive looks fairly ordinary. But according to Trustwave, it’s actually designed to deliver malicious code - using a Powershell command - that can hijack a Windows system. 

What happens in the background?
Once the victim plugs in the malicious USB drive, the computer is tricked to display a message that claims the USB has malfunctioned. But in reality, the thumb drive is secretly hijacking the computer to link up the hacker’s command and control server. 

A host of information is collected from a target system and sent back to the C2 server. This includes username, hostname, user’s system privilege, computer model, memory capacity, OS serial number, language code, number of users, OS build, OS version, free memory available and more.  

“After this gathered information is sent to the C2 server. The main Jscript code enters an infinite loop sleeping for 2 minutes in each loop iteration then getting a new command from the command and control,” researchers noted.

Bottom line
To summarize, this technique of reprogramming USB devices is used by cybercriminals in the wild. Expanding on this further, the FBI has revealed that the campaign’s IOCs matched to that of the FIN7 threat actor group. The cybercrime group had adopted the technique to deliver GRIFFON malware.