The cybercriminal group FIN7 (aka Carbanak) is adopting a new modus operandi to deliver GRIFFON malware. For those unaware, FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. “Recently, the cybercriminal group FIN7,1 known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles,” the FBI alert states.
The attackers are sending a USB device under the guise of a Best Buy gift card that emulates a USB keyboard. In this case, the computer thinks that the connected USB device is a keyboard. This fake keyboard launches a PowerShell command to recover malware from the server controlled by the attacker. Then, the USB contacts the domain or IP address which is located in Russia. “After the surveillance phase, the attacker moves laterally to look for administrative rights,” the FBI said. FIN7 uses several tools to complete attacks, such as Metasploit, PowerShell scripts, Carbanak malware, Cobalt Strike, Griffon’s “back door”, Boostwrite’s malware dropper, and RdfSniffer module with remote access capabilities. One such malicious USB activity was analyzed by Trustwave SpiderLabs security researchers, who learned about it from one of their clients – a U.S. company in the hospitality sector. The cybersecurity company had received an official-looking letter with Best Buy’s logo, along with a $50 gift card as loyalty. “You can spend it on any product on the list of items featured on a USB flash drive,” the letter said. Fortunately, the person who spotted the suspicious device had computer security training and didn’t plug it in. The package was sent for further analysis to Trustwave. “Targeted attacks using physical means are not as common as phishing or social engineering. Penetration testers that perform physical ‘pentests’ are well versed in throwing ‘malicious’ USB sticks in a target’s parking lot or waiting room,” explains the Trustwave team. Trustwave analyzed the behavior of the USB and found that it was a BadUSB attack: At the head of the unit on the printed circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale at shopee.tw. The product belonged to Arduino Leonardo, which is specifically programmed by criminals to act as a keyboard or mouse outside the box. The researchers noticed two PowerShell commands that led to showing a false error for the USB thumb drive and ultimately leading to executing third-stage JavaScript that could collect system information and download other malware. BadUSB? attacks are regularly used in penetration tests, where the most versatile sells for $100. However, FIN7 used a simple and cheap version that costs between US$5 to US$14, depending on the supplier and the shipping country. “In the past, we saw FIN7 exchanging dozens of emails with their victims before sending the malicious payloads,” said Félix Aimé, a senior security researcher at anti-virus company Kaspersky. “These new campaigns leveraging physical devices are the direct continuation of their highly sophisticated social engineering campaigns.” FIN7 is suspected of stealing over $1 billion in recent years by breaking into more than 100 banks around the world. The group is known for using sophisticated techniques to attack more than 100 U.S. companies to steal payment card information and subsequently resell it to other criminals.