FIN7, a financially motivated threat group, has been eyeing US-based firms with BadUSB attacks in the past months. The BadUSB campaign attempts to inject malicious malware code into machines through compromised USB devices without being spotted by security solutions.
The FBI received several reports of packages containing USB devices addressed to US-based businesses, including the US defence industry sector. In this recent incident regarding the BadUSB attacks, FIN7 had exploited the Amazon ‘thank-you letter’ to deceive their targets. The threat group has been using this identical BadUSB campaign to target organisations in the transportation and insurance industries since the early weeks of August last year.
FIN7 has utilised two packages during their BadUSB attacks.
The first package sent by FIN7 is disguised as a package sent by the US Department of Health and Human Services that consisted of instructions of COVID-19 guidelines present inside the compromised USB. While the second package impersonated a gift box package sent by the threat actors via Amazon, which contained a counterfeit gift card, phoney thank you letter and a malware-laden USB.
Both packages mentioned are USB devices that depict the ‘LilyGo’ brand and was delivered by the threat actors via USPS and UPS delivery services.
FIN7 pushes the BadUSB attack by relying on the recipient to plug their USB drives into their machines. Then, the devices would run a BadUSB attack, where the USB drive registers itself in the form of a keyboard and sends a chain of automated pre-configured keystrokes. These pre-configured keystrokes run several PowerShell commands to download and install multiple malware variants acting as backdoors.
In a previous investigation, FIN7 was monitored by researchers acquiring admin access and navigating laterally on an infected device.
The financially motivated threat group used various tools such as Cobalt Strike, Powershell Scripts, DICELOADER, GRIFFON, TIRION and distributed REvil and BlackMatter ransomware.
These recent attacks of FIN7 portray the desperation and innovations of threat groups to target their victims in different sectors. The US FBI advised businesses to register their firms to cybersecurity portals to access the alert and get information regarding cybercriminal activities.