Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Would You Exchange Your Security for a Gift Card?

UPDATED March 27, 2020


We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media. Penetration Testers that perform physical "pentests" are well versed in dropping "malicious" USB sticks in a target's parking lot or waiting room. More complex are so-called "Rubber Ducky" ( attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes. Those types of attacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare, but still out there.

The Attack

This letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. Included in this letter is seemingly a USB drive that claims to contain a list of items to spend on. Very nice gesture!

Gift Card Letter
Figure 1. Suspicious Best Buy gift card containing a malicious USB device


One of our digital forensics and incident response retainer clients brought this device to our attention. One of their business associates received this suspicious letter. Fortunately, our client and their associate did not plug the drive into any computer. Thank you, security training!


To start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive on the printed circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale on


Figure 2: The website images matched the drive that the client received!


This USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.

To quickly get the payload off the USB drive we connected it to an air-gapped laptop that had Ubuntu installed while Wireshark captured traffic on the third USB bus and the active window was set Vim. We figured Vim could act as a rudimentary jail to capture traffic and that the intended target is the Windows OS. Sure enough, we were presented with the following payload.


Powershell Payload


Figure 3. Payload was intercepted through VIM and reveals an obfuscated PowerShell script


De-obfuscating the PowerShell command is a simple mono substitution cipher by which the cipher text ASCII table is shifted 1 step to the left. For example, to decode the character ‘j’ can be done by shifting 1 step backward and is equal to ‘i’, for ‘f’ is substituted by ‘e’ then ‘y’ = ‘x’ so on and so forth.


Decoding the payload
Figure 4. PowerShell command deobfuscated using CyberChef


The de-obfuscated string reveals a command that downloads the second stage PowerShell code from hxxps://milkmovemoney[.]com/st/mi.ini.



Figure 5. Downloaded 2nd Stage Powershell Code


Downloaded script
Figure 6


To summarize, this is the second stage PowerShell execution flow:

  1. Copy wscript.exe to %AppData%\Microsoft\Windows\wipre.exe
  2. Decode a JScript command and save it as prada.txt
  3. Execute prada.txt with the command “cmd.exe /c wipre.exe /e:jscript prada.txt”
  4. Show a fake message box warning
Fake Message Box
Figure 7. A convincing fake message box pops up


Javascript Payload

The Jscript code saved to prada.txt is the third stage payload. This is executed using the Windows built-in script host engine - wscript.exe.


Figure 8. de-obfuscated JScript saved as Prada.txt


The Jscript is mildly obfuscated using a simple variable substitution. The main function of this script is to register the infected host to the command and control (C&C) server with a unique ID, then in return, it receives an additional JScript code that is executed using eval() function.

Below is the step by step execution flow of the Jscript code:

  1. Generates a unique ID by getting the current UTC milliseconds
  2. Check if the script is in the folder %AppData%\Microsoft\Windows and delete itself if it is not
  3. Delay execution for 2 minutes
  4. Generate a data containing the following information:
    1. group : f1 (hardcoded)
    2. rt : 2 (hardcoded)
    3. secret : secret hash (hardcoded)
    4. time : 120000
    5. uniq_id : current UTC milliseconds
    6. id : MAC address and hostname (using WMI query)
  5. URL encode the data and XOR encode it using a random generated key.
  6. Append the generated XOR key to the encoded data delimited with “&_&”
  7. Form a HTTP POST body containing the parameter.
    1. kbaxmaconhuc=<encoded data+generated XOR key>
  8. Form a URL path:
    1. https://<command and control domain>/<random path>/<random file>/?type=name
  9. Send the data to the command and control URL as a HTTP POST raw body and using the following HTTP request header:
    1. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0'
    2. Content-Type: %application/x-www-form-urlencoded'
  10. Command and control responds an encoded JScript code
  11. Decode and execute Jscript code using eval()

In the event that the C&C server is alive, it will respond with an encoded data as shown in figure 9. The encoded data includes a XOR key to decode it. Data and the key is delimited with “&_&”  or URL encoded “%26_%26”. The decoded data reveals an additional Jscript code that will be executed in the infected host.


Encoded Data
Figure 9: The C&C server responded with this encoded data


The JScript code could be anything. But when we decoded it, it reveals a code that gathers system information from the infected host.


Figure 10: The deobfuscated JScript code that was part of the code sent by the C&C server


The following information is collected, encoded then sent back to the C&C server:

  • Username
  • Hostname
  • User’s System Privilege
  • Uses WMI query to get the:
    • Process owner
    • Domain name
    • Computer model
    • Operating system information
      • OS name
      • OS build
      • OS version
      • Memory capacity
      • Free memory available
      • OS registered user
      • OS registered organization
      • OS serial number
      • Last boot up time
      • Install date
      • OS architecture
      • OS product type
      • Language code
      • Time zone
      • Number of users
      • Desktop monitor type
      • Desktop resolution
      • UAC level privilege
    • Office and Adobe acrobat installation
    • List of running Processes (including PID)
    • Whether the infected host is running in a virtualized environment

After this gathered information is sent to C&C server. The main Jscript code enters an infinite loop sleeping for 2 minutes in each loop iteration then getting a new command from the command and control. Here is the full attack flow:


Attack_flowFigure 11: Attack Flow



In summary, once a USB controller chip is reprogrammed to unintended use (in this case as an emulated USB keyboard) these devices could be used to launch an attack and infect unsuspecting users’ computer without them realizing it.

These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals "in the wild." Since USB devices are ubiquitous, used, and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device.


bece1545132af25c68777fade707046c (2nd stage Powershell)
84d77a3b76ac690ce7a60199c88ceeb5 (prada.txt)


UPDATE 27.March.2020:

Since our initial publication, we've received confirmation from multiple sources that this campaign matches IOCs from similar campaigns from FIN7 ( FIN7 is a cybercriminal collective that has been targeting the hospitality and retail sectors since at least 2015.




In addition, anyone who receives a suspicious USB drive under similar circumstances, should contact their local FBI office at

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More