Beware scam artists bearing gifts – and thumb drives

USB drive

Creative cybercrooks are using a fake $50 gift card as bait to dupe victims into inserting a malicious USB flash drive that can launch keystroke injection attacks, researchers have discovered.

Cybersecurity firm Trustwave was alerted to the social engineering scam by a client who received a letter, purportedly from US electronics retailer Best Buy, containing a gift card and thumb drive, which supposedly offered a list of redeemable products.

Once plugged in, however, the device emulates a USB keyboard and can automatically inject malicious commands without the user realizing, since PCs trust USB keyboard devices by default, a post on Trustwave’s SpiderLabs blog explains.

“If inserted, the USB would establish a… connection back to a command and control system controlled by the cybercriminals where they would first gather intelligence on the user, system, and access privileges then drop the best type of malware based on that intelligence,” Karl Sigler, senior security research manager at Trustwave, told The Daily Swig.

Novel twist

Trustwave’s latest discovery marks a novel twist on ‘Rubber Ducky’ attacks – named after the eponymous penetration testing device that pioneered keystroke injection – which attackers often mount against targets by dropping ‘malicious’ USB memory sticks in their parking lot or waiting room.

Researchers Alejandro Baca and Rodel Mendrez said the fact that such devices are “cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals ‘in the wild’” – although this remains rare, they said, since such attacks are typically targeted.

The Best Buy attack was targeted against a US-based hospitality company, probably by the FIN7 threat group, said Sigler. “We’ve received feedback that this campaign is a lot more widespread than we thought,” he added.

Best Buy scam letter and USB driveThe suspicious letter contained a malicious USB drive

Three-stage payload

The researchers extracted the three-stage payload by connecting the thumb drive to an air-gapped laptop.

The first stage de-obfuscated the PowerShell command, which was encoded with a simple substitution cipher that shifted the cipher text ASCII table one step to the left.

The de-obfuscated string then revealed a command that downloaded the second stage PowerShell code.

The second-stage PowerShell execution flow copied wscript.exe to %AppData%\Microsoft\Windows\wipre.exe, decoded a JScript command and saved it as prada.txt, which was executed with the command cmd.exe /c wipre.exe /e:jscript prada.txt.

This resulted in a fake dialog box warning.

The third-stage payload was JScript code saved to prada.txt, which was executed using Windows built-in script host engine, wscript.exe.

The mildly obfuscated JScript registered the infected host to the command and control server with a unique ID, then received an additional JScript code that was executed using the eval() function.

Once executed the JScript code exfiltrated myriad system information from the infected host, including username, user’s system privilege, and OS serial number.

“Never plug in a random device into your computer,” said Sigler.

“If you are in an office setting, report the device to your security team. Cybercriminals rely on the innate curiosity of humans to pull off these kinds of attacks.”

The Daily Swig has contacted Best Buy for comment.

RELATED Google develops Linux tool that tackles USB keystroke injection attacks