UPDATED March 27, 2020
Overview
We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media. Penetration Testers that perform physical "pentests" are well versed in dropping "malicious" USB sticks in a target's parking lot or waiting room. More complex are so-called "Rubber Ducky" (https://github.com/hak5darren/USB-Rubber-Ducky/wiki) attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes. Those types of attacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare, but still out there.
The Attack
This letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. Included in this letter is seemingly a USB drive that claims to contain a list of items to spend on. Very nice gesture!
Figure 1. Suspicious Best Buy gift card containing a malicious USB device
One of our digital forensics and incident response retainer clients brought this device to our attention. One of their business associates received this suspicious letter. Fortunately, our client and their associate did not plug the drive into any computer. Thank you, security training!
Analysis
To start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive on the printed circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale on shopee.tw.
Figure 2: The website images matched the drive that the client received!
This USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.
To quickly get the payload off the USB drive we connected it to an air-gapped laptop that had Ubuntu installed while Wireshark captured traffic on the third USB bus and the active window was set Vim. We figured Vim could act as a rudimentary jail to capture traffic and that the intended target is the Windows OS. Sure enough, we were presented with the following payload.
Powershell Payload
Figure 3. Payload was intercepted through VIM and reveals an obfuscated PowerShell script
De-obfuscating the PowerShell command is a simple mono substitution cipher by which the cipher text ASCII table is shifted 1 step to the left. For example, to decode the character ‘j’ can be done by shifting 1 step backward and is equal to ‘i’, for ‘f’ is substituted by ‘e’ then ‘y’ = ‘x’ so on and so forth.
Figure 4. PowerShell command deobfuscated using CyberChef
The de-obfuscated string reveals a command that downloads the second stage PowerShell code from hxxps://milkmovemoney[.]com/st/mi.ini.
Figure 5. Downloaded 2nd Stage Powershell Code
Figure 6
To summarize, this is the second stage PowerShell execution flow:
- Copy wscript.exe to %AppData%\Microsoft\Windows\wipre.exe
- Decode a JScript command and save it as prada.txt
- Execute prada.txt with the command “cmd.exe /c wipre.exe /e:jscript prada.txt”
- Show a fake message box warning
Figure 7. A convincing fake message box pops up
Javascript Payload
The Jscript code saved to prada.txt is the third stage payload. This is executed using the Windows built-in script host engine - wscript.exe.
Figure 8. de-obfuscated JScript saved as Prada.txt
The Jscript is mildly obfuscated using a simple variable substitution. The main function of this script is to register the infected host to the command and control (C&C) server with a unique ID, then in return, it receives an additional JScript code that is executed using eval() function.
Below is the step by step execution flow of the Jscript code:
- Generates a unique ID by getting the current UTC milliseconds
- Check if the script is in the folder %AppData%\Microsoft\Windows and delete itself if it is not
- Delay execution for 2 minutes
- Generate a data containing the following information:
- group : f1 (hardcoded)
- rt : 2 (hardcoded)
- secret : secret hash (hardcoded)
- time : 120000
- uniq_id : current UTC milliseconds
- id : MAC address and hostname (using WMI query)
- URL encode the data and XOR encode it using a random generated key.
- Append the generated XOR key to the encoded data delimited with “&_&”
- Form a HTTP POST body containing the parameter.
- kbaxmaconhuc=<encoded data+generated XOR key>
- Form a URL path:
- https://<command and control domain>/<random path>/<random file>/?type=name
- Send the data to the command and control URL as a HTTP POST raw body and using the following HTTP request header:
- User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0'
- Content-Type: %application/x-www-form-urlencoded'
- Command and control responds an encoded JScript code
- Decode and execute Jscript code using eval()
In the event that the C&C server is alive, it will respond with an encoded data as shown in figure 9. The encoded data includes a XOR key to decode it. Data and the key is delimited with “&_&” or URL encoded “%26_%26”. The decoded data reveals an additional Jscript code that will be executed in the infected host.
Figure 9: The C&C server responded with this encoded data
The JScript code could be anything. But when we decoded it, it reveals a code that gathers system information from the infected host.
Figure 10: The deobfuscated JScript code that was part of the code sent by the C&C server
The following information is collected, encoded then sent back to the C&C server:
- Username
- Hostname
- User’s System Privilege
- Uses WMI query to get the:
- Process owner
- Domain name
- Computer model
- Operating system information
- OS name
- OS build
- OS version
- Memory capacity
- Free memory available
- OS registered user
- OS registered organization
- OS serial number
- Last boot up time
- Install date
- OS architecture
- OS product type
- Language code
- Time zone
- Number of users
- Desktop monitor type
- Desktop resolution
- UAC level privilege
- Office and Adobe acrobat installation
- List of running Processes (including PID)
- Whether the infected host is running in a virtualized environment
After this gathered information is sent to C&C server. The main Jscript code enters an infinite loop sleeping for 2 minutes in each loop iteration then getting a new command from the command and control. Here is the full attack flow:
Figure 11: Attack Flow
Conclusion
In summary, once a USB controller chip is reprogrammed to unintended use (in this case as an emulated USB keyboard) these devices could be used to launch an attack and infect unsuspecting users’ computer without them realizing it.
These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals "in the wild." Since USB devices are ubiquitous, used, and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device.
IOCs
bece1545132af25c68777fade707046c (2nd stage Powershell)
84d77a3b76ac690ce7a60199c88ceeb5 (prada.txt)
UPDATE 27.March.2020:
Since our initial publication, we've received confirmation from multiple sources that this campaign matches IOCs from similar campaigns from FIN7 (https://attack.mitre.org/groups/G0046/). FIN7 is a cybercriminal collective that has been targeting the hospitality and retail sectors since at least 2015.
In addition, anyone who receives a suspicious USB drive under similar circumstances, should contact their local FBI office at https://www.fbi.gov/contact-us/field-offices.
