The FBI warns that the notorious cybercrime gang FIN7 has been sending USB sticks with malware to US corporations, for example in the arms industry, in recent months. The gang, also known as Carbanank, therefore insists that those affected plug the storage media into company computers and thus infect their systems with malware. Building on this, further IT attacks and online blackmail followed.
“Since August 2021, the FBI has received reports of several packages containing these USB devices that have been sent to US companies in the transportation, insurance and defense industries,” law enforcement officials said in a security warning it issued to registered members on Thursday the public-private partnership InfraGard sent. The shipments were therefore delivered via the US Postal Service and UPS.
USB drive registers itself as keyboard
There is two variants of packages, led the FBI according to US media reports out. For one, the US Department of Health and Human Services (HHS) is given as the sender. In addition to a USB stick, it often contains letters that refer to the authority’s Covid-19 guidelines. In the other cases, the treacherous storage media come packaged in a decorative gift box from Amazon. This also contains a fake thank you letter. In both versions, the attackers used LilyGO-branded USB devices.
When the recipients connect the sticks to their computers, a so-called BadUSB attack occurs, according to the FBI. The USB drive registers itself as a keyboard in the form of a Human Interface Device (HID). In this way, it can carry out operations even if the operating system of the computer is preset so that external storage media should not be carried out automatically.
The program routines on the stick then send a series of preconfigured automatic keystrokes to the user’s PC. They run PowerShell commands that download and install various flavors of malware. These in turn act as a back door for the attackers into the victim’s networks. In the investigated cases, the FBI found that the gang obtained administrator rights and then encroached on other local systems.
According to the warning, the FIN7 actors, who have been penetrating bank servers, ATMs and payment terminals around the world with sophisticated phishing attacks and malware since 2013 and sometimes have been sentenced to prison, then used a number of instruments such as Metasploit, Cobalt Strike and PowerShell scripts , Carbanak, Griffon, Diceloader and Trion. They then installed ransomware such as BlackMatter and REvil on the attacked network, encrypted files that these Trojans could find and demanded a ransom for their release.
Additional contact via email or phone
The new wave of USB drive-by attacks follows an earlier series of incidents that the FBI warned about two years ago. At that time, FIN7 acted on behalf of the US electronics retailer Best Buy and sent similar packages with malicious flash drives to hotels, restaurants and retail stores under its logo.
The first reports of such attacks surfaced as early as February 2020. Some of the targeted people said that the criminals emailed or called them urging them to connect the drives to their systems. In some cases, the crooks are said to have sent cute figures such as teddy bears with them to encourage potential victims to use the devices.
Companies can protect themselves against such attacks by only allowing their employees to connect USB devices that have an approved hardware ID or that have been previously checked by the internal IT security team. Further relevant tips for a secure, permanent and mobile computer workstation can be found in the c’t security checklists.