Security researchers have come across an attack where an USB dongle designed to surreptitiously behave like a keyboard was mailed to a company under the guise of a Best Buy gift card. This technique has been used by security professionals during physical penetration testing engagements in the past, but it has very rarely been observed in the wild. This time it’s a known sophisticated cybercriminal group who is likely behind it.

The attack was analyzed and disclosed by security researchers from Trustwave SpiderLabs, who learned about it from the business associate of one of their team members. Ziv Mador, vice president for security research Trustwave SpiderLabs, tells CSO that a US company in the hospitality sector received the USB sometime in mid-February.

The package contained an official-looking letter with Best Buy’s logo and other branding elements informing the recipient that they’ve received a $50 gift card for being a regular customer. “You can spend it on any product from the list of items presented on an USB stick,” the letter read. Fortunately, the USB dongle was never inserted into any computers and was passed along for analysis, because the person who received it had security training.

The BadUSB

Researchers traced the USB dongle model to a Taiwanese website where it’s being sold for the equivalent of $7 under the name BadUSB Leonardo USB ATMEGA32U4. In 2014, at the Black Hat USA security conference, a team of researchers from Berlin-based Security Research Labs (SRLabs) demonstrated that the firmware of many USB dongles can be reprogrammed so that, when inserted in a computer, it reports that it’s actually a keyboard and starts sending commands that could be used to deploy malware. The researchers dubbed this attack BadUSB and it’s different then just putting malware on an USB stick and relying on the user to open it.

The Leonardo USB device that Trustwave received and analyzed has an Arduino ATMEGA32U4 microcontroller inside which was programmed to act as a virtual keyboard and execute an obfuscated PowerShell script via the command line. The script reaches out to a domain set up by the attackers and downloads a secondary PowerShell payload that then deploys a third JavaScript-based payload that is executed through Windows’ built-in script host engine.

This third JavaScript payload generates a unique identifier for the computer and registers it to a remote command-and-control server. It then receives additional obfuscated JavaScript code from the server which it executes. The goal of this fourth payload is to gather information about the system, such as the user’s privilege, the domain name, time zone, language, OS and hardware information, a list of running processes, whether Microsoft Office and Adobe Acrobat are installed and more.

Source Article