Cybercrime , Endpoint Security , Fraud Management & Cybercrime

FBI: Cybercrime Gang Mailing 'BadUSB' Devices to Targets

Malicious USB Devices Accompanied by Fake Gift Cards to Entice Would-Be Victims

Letter from FIN7 attackers (Source: Trustwave)

Never underestimate the power of a weaponized tchotchke, especially when paired with a free teddy bear and gift card.

See Also: Live Webinar | Leveraging AI in Next Generation Cybersecurity

The FBI recently warned businesses that they may be targeted by a fiendish new scheme being practiced by the FIN7 gang, also known as the Carbanak Group and the Navigator Group.

The notorious gang has already been tied to more than $1 billion in fraud, typically by infecting point-of-sale devices with malware and using it to steal payment card details (see: The Art of the Steal: FIN7's Highly Effective Phishing).

Now, the group has a new trick up its sleeves: It's mailing victims a USB storage device, with a teddy bear and supposed $50 gift card to Best Buy. "You can spend it on any product from the list of items presented on a USB stick," reads the cover letter accompanying one such attack, according to security firm Trustwave. All a victim has to do is plug the USB device into their computer.

"The enclosed USB device is a commercially available tool known as a 'BadUSB' or 'Bad Beetle USB' device," the FBI says in a flash alert to businesses that outlines the scheme. Such schemes are also known as "Bash Bunny" attacks.

While often used by penetration testers, BadUSB attacks in the wild are relatively rare (see: Suspect Arrested at Mar-a-Lago With Suspicious USB Drive). "Penetration testers that perform physical 'pentests' are well versed in dropping 'malicious' USB sticks in a target's parking lot or waiting room," say security researchers Alejandro Baca and Rodel Mendrez from Trustwave write in a blog post.

"More complex are so-called 'Rubber Ducky' attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes," they add. "Those types of attacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare, but still out there."

Bad for Business: BadUSB

"BadUSB" devices are USB storage devices that have had their firmware rewritten to facilitate malicious activities, potentially giving attackers the ability to bypass endpoint anti-virus tools and gain remote access to any system into which the USB storage devices gets plugged (see: A New Way to Mitigate USB Risks).

"Never trust such a device" - not even when accompanied by a supposedly real gift card and cover letter saying all the recipient has to do is plug in the device and retrieve a list - say Trustwave's Baca and Mendrez.

The FBI says FIN7 has been mailing the malicious USB devices to potential victims, sometimes also while running a phishing attack.

"When plugged into a target system, the USB registers as a Keyboard HID Keyboard Device with a Vendor ID (VID) of 0x2341 and a Product ID (PID) of 0x8037," the alert says. "The USB injects a series of keystroke commands, including the (Windows + R) shortcut to launch the Windows Run Dialog to run a PowerShell command to download and execute a malware payload from an attacker-controlled server. The USB device then calls out to domains or IP addresses that are currently located in Russia."

Intercepted payload reveals an obfuscated PowerShell script (Source: Trustwave)

The FBI says the domains or IP addresses that the device pings then push a copy of Griffon malware back to the device, which has been previously attached to phishing emails sent by FIN7. Griffon gives the attackers a back door for remotely accessing the infected system and thus everything on it. Potentially, the infected system can also give attackers a stepping stone to the rest of a corporate network.

Trustwave says one of its clients in the hospitality industry was on the receiving end of an attack, as detailed in the FBI's flash alert. As detailed in the FBI's alert, the USB controller chip had been has been" reprogrammed for an unintended use - in this case as an emulated USB keyboard" meaning that simply plugging in the device could "infect unsuspecting users' computer without them realizing it."

Attack flow (Source: Trustwave)

Running these types of attacks is relatively inexpensive. While attackers can spend $100 or more on a USB device with a full-featured microcontroller, the FBI says the microcontroller used in one of the FIN7 attacks it studied is an ATMEGA24U, while Trustwave studied a separate attack that used involved an ATMEGA32U4, each of which retail for $5 to $14, depending on the supplier, Bleeping Computer reports.

FIN7: $1 Billion in Fraud and Counting

Previously, the FIN7 gang was tied to what the U.S. Justice Department described as a "highly sophisticated malware campaign" that's pummeled more than 100 U.S. businesses - especially in the restaurant, gaming, and hospitality sectors. Arby's, Chili's, Chipotle Mexican Grill and Jason's Deli are among the data breach victims that have confirmed attacks tied to FIN7 (see: Chipotle: Hackers Dined Out on Most Restaurants).

FIN7 has perpetrated more than $1 billion in fraud, in part, by stealing details for more than 15 million payment card records from more than 6,500 point-of-sale terminals across more than 3,600 business locations, the Justice Department says.

In 2018, the Justice Department unsealed indictments against three alleged members of the FIN7 hacking gang: Dmytro Fedorov, Fedir Hladyr and Andrii Kolpakov. All are Ukrainian nationals.

Hladyr, who prosecutors accused of serving as "a high-level systems administrator" for the gang, was arrested in Dresden, Germany, in January 2018, and extradited to the U.S. Last September, he pleaded guilty to conspiracy to commit wire fraud, which carries a maximum 20-year prison sentence, and conspiracy to commit computer hacking, which carries up to a five-year penalty, and agreed to pay up $2.5 million in restitution (see: Credit Card Theft Ringleader Pleads Guilty).

In 2018, Fedorov was arrested in Bielsko-Biala, Poland, while Kolpakov was arrested in Lepe, Spain. Both were later extradited to the U.S. and pleaded not guilty. A trial against the two men began in August 2019 and is set to continue this October. They each face 26 felony counts, ranging from identity theft to conspiracy to commit computer hacking.

In the meantime, their alleged FIN7 accomplices appear to be carrying on, now armed not just with malware, but stuffed toys.