The FBI recently put out a warning that cybercriminal group FIN7, has started mailing USB drives filled with “BadUSB” malware to various companies. There are two variations of packages:
- Those imitating HHS [US Department of Health and Human Services ], often accompanied by letters referencing COVID-19 guidelines and enclosed with a USB
- Those imitating Amazon, arriving in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.
In both cases, the packages contained LilyGO-branded USB devices.
Once recipients plug the thumb drives into their PCs, the devices execute a BadUSB attack, where the USB drive would register itself as a keyboard instead and send a series of preconfigured automated keystrokes to the user’s PC. These keystrokes would run PowerShell commands that downloaded and installed various malware strains that acted as backdoors for the attackers into the victims’ networks.
What Should You Do?
If you come across any unknown USB device – via mail, conference room floor, parking lot, etc., don’t plug it into your computer! If in question, hand the device over to a member of your IT team. Click to learn more about BadUSB.