(Photo by Christian Ohde/McPhoto/ullstein bild via Getty Images)

A security firm has uncovered a rare attempt to hack a Windows computer that involved mailing the user a malware-laden USB thumb drive.

The mysterious hacker did so by pretending the USB thumb drive was part of a $50 gift card offer from Best Buy, according to Trustwave, which obtained the letter from a company client. The letter was mailed in February, and thanks the recipient for being a long-time customer.

“Included in this letter is seemingly a USB drive that claims to contain a list of items to spend on,” company researchers Alejandro Baca and Rodel Mendrez wrote in a post on Thursday.

The USB thumb drive looks fairly ordinary. But according to Trustwave, it’s actually been designed to deliver malicious code that can hijack a Windows system. The thumb drive can do this because it’s been programmed to emulate a USB-connected keyboard. “Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands,” the researchers wrote.

A Google search of a code on the USB thumb drive that reads “HW-374” also revealed a Taiwanese e-commerce site has been selling the devices for as little as $7.

Trustwave’s researchers then examined the USB thumb stick’s behavior by connecting it to a test laptop isolated from the internet. As suspected, the drive did deliver a malicious payload by using a Powershell command, which will manipulate the PC to secretly download more computer code.

As this all happens, the computer will be tricked to display a message that claims the USB drive has malfunctioned, (and thus no free gifts from Best Buy). But in reality, the thumb drive is secretly hijacking the computer to link up with the hacker’s command and control server.

In return, the command and control server will send malicious Javascript code to the victim's PC. “The JScript code could be anything. But when we decoded it, it reveals a code that gathers system information from the infected host,” the researchers wrote. By gathering the system information, the hacker can conduct reconnaissance to find out the best ways to exploit the victim's PC, which will likely result in the computer getting infested with various kinds of malware.

For years, the IT security community has warned that hackers can weaponize USB thumb drives to spread malware. The good news is that the attacks have been quite rare, and generally confined to state-sponsored spies targeting industrial systems. However, the findings from Trustwave show how relatively cheap it can be for a hacker to carry out the same attack through the mail.

Fortunately, the original recipient who received the Best Buy gift offer never plugged in the USB drive. Nevertheless, the same scheme could end up fooling others.

“Since USB devices are ubiquitous, used, and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device,” they wrote. “If this story teaches us anything, it's that one should never trust such a device.”

Further Reading

Security Reviews