Last week, the FBI released an updated flash alert warning US companies that the FIN7 cybercrime group could compromise their systems by delivering ransomware-ridden USB drives.
Reportedly, the perpetrators mailed packages to various US companies comprising “BadUSB (Bad Beetle USB)” devices misleadingly branded with the LilyGO logo to bypass their defenses.
The threat actor relied on the US Postal Service and UPS to deliver the malware-ridden packages to the companies. So far, the group targeted transportation and insurance companies from August of 2021 and shifted its focus towards defense companies since November of 2021.
Packets were cunningly disguised to appear legitimate, by including forged thank you notes, counterfeit gift cards and COVID-19 guidelines along with the malicious USB drives, according to several reports the FBI received. Presumably, the content of the decoy packages depends on the profile of the sender entity it mimics.
If the target plugs the malware-ridden USB drive into its computer, the system automatically registers the device as an HID (Human Interface Device) keyboard. This workaround enables the USB drive to operate even if the system has disabled the use of removable storage devices.
After registration, the BadUSB device relies on keystrokes to deploy malware payloads on the afflicted computers. Usually, the goal of these attacks is to access the victim’s network and deploy malware using tools such as Cobalt Strike, Metasploit, PowerShell scripts and Carbanak.
These attempts to compromise systems using BadUSB are not the first. Since May 2020, FIN7 supposedly sent various malicious packages containing malicious USB drives along with teddy bears to trick victims into lowering their guard.
This type of attack is commonly known as a USB drive-by or HID attack. They only succeed, of course, if the victim plugs the unknown USB device into its computer.
A sure way to fend off these cyber threats is to never plug any USB device into your PC, and always let your company’s security team scan them, should you ever receive such a package.