FIN7 hackers sent BadUSB devices to American companies

The FBI reports that in recent months, the FIN7 hack group has been sending BadUSB devices to American companies in the hopes of infecting their systems and providing a starting point for attacks.

FIN7 is known, among other things, for its Darkside and BlackMatter ransomware.

There are two options for such packages: some mimic messages from HHS (US Department of Health and Human Services), so they are often accompanied by letters with links to recommendations for protection against COVID-19, indicating to refer to the attached USB stick. Others mimic an Amazon package that came in a gift box and contain a fake thank you letter, a fake gift card, and a USB device. Both shipments are known to contain LilyGO branded USB devices.

According to law enforcement officials, if the victim connected such a device to their PC, the device performs a BadUSB attack, during which the device uses the HID, registers itself as a keyboard, and transmits a series of predefined keystrokes to the user’s machine.

These keystrokes launched PowerShell commands that already downloaded and installed various malware that acted as backdoors. In the cases investigated by the FBI, the hack group gained administrative access and then attacked other local systems.

Let me remind you that we talked about the fact that main Fin7 activity is stealing companies’ financial archives (including debit cards), and gaining access to financial data and computers of employees of financial departments in order to steal funds, and also that when Hackers from all over the world attack Microsoft SharePoint servers: noticed traces of famous FIN7.