UPDATED 27.March.2020


We frequently speak about attackers concentrating on corporations with social engineering assaults. These normally take the type of phishing assaults that try to trick the recipient into opening a malicious attachment or clicking on a malicious hyperlink. Much less mentioned are focused assaults utilizing bodily media. Penetration Testers that carry out bodily “pentests” are effectively versed in dropping “malicious” USB sticks in a goal’s parking zone or ready room. Extra advanced are so-called “Rubber Ducky” (https://github.com/hak5darren/USB-Rubber-Ducky/wiki) assaults, the place what seems like a USB stick is definitely, in impact, a malicious USB keyboard preloaded with keystrokes. These kinds of assaults are sometimes so explicitly focused that it is uncommon to seek out them coming from precise attackers within the wild. Uncommon, however nonetheless on the market.

The Assault

This letter was supposedly from Finest Purchase giving out a $50 present card to its loyal clients. Included on this letter is seemingly a USB drive that claims to include a listing of things to spend on. Very good gesture!

Would you like to exchange your security for a gift card?

Determine 1. Suspicious Finest Purchase present card containing a malicious USB gadget

One among our digital forensics and incident response retainer shoppers introduced this gadget to our consideration. One among their enterprise associates acquired this suspicious letter. Luckily, our shopper and their affiliate didn’t plug the drive into any pc. Thanks, safety coaching!


To begin the evaluation, we inspected the drive for inscriptions comparable to serial numbers. On the head of the drive on the printed circuit board we noticed “HW-374”. A fast Google seek for this string discovered a “BadUSB Leonardo USB ATMEGA32U4” on the market on shopee.tw.

Would you like to exchange your security for a gift card?

Determine 2: The web site pictures matched the drive that the shopper acquired!

This USB gadget makes use of an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs belief keyboard USB units by default, as soon as it’s plugged in, the keyboard emulator can mechanically inject malicious instructions.

To rapidly get the payload off the USB drive we linked it to an air-gapped laptop computer that had Ubuntu put in whereas Wireshark captured site visitors on the third USB bus and the energetic window was set Vim. We figured Vim might act as a rudimentary jail to seize site visitors and that the meant goal is the Home windows OS. Positive sufficient, we had been offered with the next payload.

Powershell Payload

Would you like to exchange your security for a gift card?

Determine 3. Payload was intercepted by way of VIM and divulges an obfuscated PowerShell script

De-obfuscating the PowerShell command is a straightforward mono substitution cipher by which the cipher textual content ASCII desk is shifted 1 step to the left. For instance, to decode the character ‘j’ might be achieved by shifting 1 step backward and is the same as ‘i’, for ‘f’ is substituted by ‘e’ then ‘y’ = ‘x’ so on and so forth.

Would you like to exchange your security for a gift card?

Determine 4. PowerShell command deobfuscated utilizing CyberChef

The de-obfuscated string reveals a command that downloads the second stage PowerShell code from hxxps://milkmovemoney[.]com/st/mi.ini.

Would you like to exchange your security for a gift card?

Determine 5. Downloaded 2nd Stage Powershell Code

Would you like to exchange your security for a gift card?

Determine 6

To summarize, that is the second stage PowerShell execution movement:

  1. Copy wscript.exe to %AppDatapercentMicrosoftWindowswipre.exe
  2. Decode a JScript command and put it aside as prada.txt
  3. Execute prada.txt with the command “cmd.exe /c wipre.exe /e:jscript prada.txt”
  4. Present a pretend message field warning

Would you like to exchange your security for a gift card?

Determine 7. A convincing pretend message field pops up

Javascript Payload

The Jscript code saved to prada.txt is the third stage payload. That is executed utilizing the Home windows built-in script host engine – wscript.exe.

Would you like to exchange your security for a gift card?

Determine 8. de-obfuscated JScript saved as Prada.txt

The Jscript is mildly obfuscated utilizing a easy variable substitution. The principle perform of this script is to register the contaminated host to the command and management (C&C) server with a novel ID, then in return, it receives an extra JScript code that’s executed utilizing eval() perform.

Under is the step-by-step execution movement of the Jscript code:

  1. Generates a novel ID by getting the present UTC milliseconds
  2. Test if the script is within the folder %AppDatapercentMicrosoftWindows and delete itself if it isn’t
  3. Delay execution for two minutes
  4. Generate an information containing the next data:
    1. group : f1 (hardcoded)
    2. rt : 2 (hardcoded)
    3. secret : secret hash (hardcoded)
    4. time : 120000
    5. uniq_id : present UTC milliseconds
    6. id : MAC tackle and hostname (utilizing WMI question)
  5. URL encode the info and XOR encode it utilizing a random generated key.
  6. Append the generated XOR key to the encoded information delimited with “&_&”
  7. Kind a HTTP POST physique containing the parameter.
    1. kbaxmaconhuc=
  8. Kind a URL path:
    1. https://///?sort=identify
  9. Ship the info to the command and management URL as a HTTP POST uncooked physique and utilizing the next HTTP request header:
    1. Consumer-Agent: Mozilla/5.0 (Home windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0′
    2. Content material-Kind: %utility/x-www-form-urlencoded’
  10. Command and management responds an encoded JScript code
  11. Decode and execute Jscript code utilizing eval()

Within the occasion that the C&C server is alive, it would reply with an encoded information as proven in determine 9. The encoded information features a XOR key to decode it. Knowledge and the hot button is delimited with “&_&”  or URL encoded “%26_%26”. The decoded information reveals an extra Jscript code that will probably be executed within the contaminated host.

Would you like to exchange your security for a gift card?

Determine 9: The C&C server responded with this encoded information

The JScript code could possibly be something. However after we decoded it, it reveals a code that gathers system data from the contaminated host.

Would you like to exchange your security for a gift card?

Determine 10: The deobfuscated JScript code that was a part of the code despatched by the C&C server

The next data is collected, encoded then despatched again to the C&C server:

  • Username
  • Hostname
  • Consumer’s System Privilege
  • Makes use of WMI question to get the:
    • Course of proprietor
    • Area identify
    • Pc mannequin
    • Working system data
      • OS identify
      • OS construct
      • OS model
      • Reminiscence capability
      • Free reminiscence out there
      • OS registered consumer
      • OS registered group
      • OS serial quantity
      • Final boot up time
      • Set up date
      • OS structure
      • OS product sort
      • Language code
      • Time zone
      • Variety of customers
      • Desktop monitor sort
      • Desktop decision
      • UAC degree privilege
    • Workplace and Adobe acrobat set up
    • Listing of operating Processes (together with PID)
    • Whether or not the contaminated host is operating in a virtualized setting

After this gathered data is shipped to C&C server. The principle Jscript code enters an infinite loop sleeping for two minutes in every loop iteration then getting a brand new command from the command and management. Right here is the complete assault movement:

Would you like to exchange your security for a gift card?Determine 11: Assault Movement


In abstract, as soon as a USB controller chip is reprogrammed to unintended use (on this case as an emulated USB keyboard) these units could possibly be used to launch an assault and infect unsuspecting customers’ pc with out them realizing it.

A lot of these USB units are extensively identified and utilized by safety professionals. The actual fact that also they are low-cost and available to anybody meant that it was only a matter of time to see this method utilized by criminals “within the wild.” Since USB units are ubiquitous, used, and seen in all places, some take into account them innocuous and protected. Others might be very curious in regards to the contents of an unknown USB gadget. If this story teaches us something, it is that one ought to by no means belief such a tool.


bece1545132af25c68777fade707046c (2nd stage Powershell)
84d77a3b76ac690ce7a60199c88ceeb5 (prada.txt)

UPDATE 27.March.2020:

Since our preliminary publication, we have acquired affirmation from a number of sources that this marketing campaign matches IOCs from comparable campaigns from FIN7 (https://assault.mitre.org/teams/G0046/). FIN7 is a cybercriminal collective that has been concentrating on the hospitality and retail sectors since no less than 2015.

Would you like to exchange your security for a gift card?

As well as, anybody who receives a suspicious USB drive underneath comparable circumstances, ought to contact their native FBI workplace at https://www.fbi.gov/contact-us/field-offices.

spiderlab blog,combi security,trustwave network,spider labs,fin7 usb,trustwave japan,trustwave corporation,fin9 style attack