Since 2015, financially motivated cybercriminal groups have actively targeted businesses in the retail, restaurant, hotel, and gaming industries at an increasing rate. Recently, the cybercriminal group FIN7,1 known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles. The enclosed USB device is a commercially available tool known as a “BadUSB” or “Bad Beetle USB” device. After the USB device is plugged into a target system, the device automatically injects a series of keystrokes in order to download and execute a unique malware payload commonly known as GRIFFON malware, which is also a payload observed in several variations of FIN7 phishing emails.
Technical Details
Recently, USB devices mailed to US businesses, sometimes accompanied by the more common FIN7 phishing emails. When plugged into a target system, the USB registers as a Keyboard HID Keyboard Device with a Vendor ID (VID) of 0x2341 and a Product ID (PID) of 0x8037. The USB injects a series of keystroke commands, including the (Windows + R) shortcut to launch the Windows Run Dialog to run a PowerShell command to download and execute a malware payload from an attacker-controlled server. The USB device then calls out to domains or IP addresses that are currently located in Russia.
Once the targeted system is compromised, attackers conduct reconnaissance and move laterally until they obtain administrative privileges. FIN7’s goal is to target and steal payment card data from Point of Sale (POS) systems on a compromised network. To do this, FIN7 uses a variety of tools including Metasploit, Cobalt Strike, PowerShell scripts, and the Carbanak, GRIFFON, BOOSTWRITE, and RDFSNIFFER malware.
There have been reports of several packages containing items including a USB device sent to US businesses in the retail, restaurant, and hotel industry. The packages to date have been sent using the United States Postal Service (USPS). The packages are enclosed in packaging material that can be readily bought at most USPS Post Offices, including packaging material from the USPS ReadyPost® brand.
Packages with the USB device may include other items such as teddy bears, gift cards, and other miscellaneous items. The USB devices may also have the recipient’s name written on them with a marker.
The USB device is commercially available, known as “BadUSB” or “Bad Beetle USB,” and is commonly available for purchase on the Internet. There are many types of BadUSB products available. Several of the received devices were “LILYGO BadUSB” devices, which are available for shipping to the US from China. All of the USB devices the FBI has observed so far are silver with a swivel cover.
The FBI has observed the USB device attempt to download a version of GRIFFON malware to deploy onto the target system. Once infected, FIN7 will have backdoor access to the target system to deploy additional malware with the goal of stealing payment card information from POS systems located within a compromised network.
Recommended Mitigations
- Do not plug in any unknown USB devices to any computer system.
- Implement monitoring or alerts for any endpoints that plug in a USB device with a VID of 0x2341 and PID of 0x8037.
- Update endpoints to PowerShell version 5 or higher, and turn on PowerShell logging through the Group Policy Editor, including module logging, script block logging, and transcription. Organizations should also increase their PowerShell event log size to 1GB or higher to ensure logs are not quickly overwritten.
- This device will still operate on networks with removal storage devices disabled, since the USB registers as a Keyboard HID Keyboard Device (an I/O device) when plugged into a computer.
- Although it will not prevent these USB devices from operating, if feasible for your business operations, for general additional security you can disable access to all Removal Storage in the local group policy editor allowing only the machine administrator access to the computer in a network environment. This can also be implemented using Group Policy Objectss.
- oSee below Windows Registry Settings:
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices Deny_All DWORD
- (delete)=Enable
- 1 = Disable