Hackers have been targeting various businesses with malware infected USB devices. This is a new technique used by the FIN7 cyber criminal group to deliver GRIFFON malware.
A client of the cybersecurity company received a package, supposedly from Best Buy, with a loyalty reward in the form of a $50 gift card. The package also contained a USB drive claiming to contain a list of products eligible for purchase using the gift card.
According to FBI, the hackers have mailed similar packages to several businesses like retail, restaurant, hotel industry etc. targeting the employees in human resources, IT, or executive management departments.
FBI warns that the cyber criminals use the United States Postal Service (USPS) to mail packages that contain items like teddy bears or gift cards to target the employees.
The malicious drive is configured to imitate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP addresses in Russia.
The hackers use multiple tools like Metasploit, Cobalt Strike, PowerShell scripts, Carbanak malware, Griffon backdoor, Boostwrite malware dropper, and RdfSniffer module with remote access capabilities to attain their goal.
BadUSB attacks are now common in penetration testing and it is possible to purchase more flexible ones for $100.
FIN7 used a simple and cheap version that costs between $5-$14, depending on the supplier and the shipping country. These had “HW-374” printed on the circuit board and are identified as an Arduino Leonardo, which is specifically programmed to act as a keyboard/mouse out of the box. Upon customization, the keystrokes and mouse movements are possible using the Arduino IDE.
It is not a best practice to connect unknown USB devices to a workstation but it is still ignored by many users.
It is necessary for the organizations to take precautions against attacks via malicious USB drives by permitting only devices after examining them based on their hardware ID and denying all others.
Also, updating PowerShell and enabling logging can help determine the attack vector and the steps leading to compromise.