Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Would You Exchange Your Security for a Gift Card?

UPDATED March 27, 2020


We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media. Penetration Testers that perform physical "pentests" are well versed in dropping "malicious" USB sticks in a target's parking lot or waiting room. More complex are so-called "Rubber Ducky" ( attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes. Those types of attacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare, but still out there.

The Attack

This letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. Included in this letter is seemingly a USB drive that claims to contain a list of items to spend on. Very nice gesture!

Gift Card Letter
Figure 1. Suspicious Best Buy gift card containing a malicious USB device


One of our digital forensics and incident response retainer clients brought this device to our attention. One of their business associates received this suspicious letter. Fortunately, our client and their associate did not plug the drive into any computer. Thank you, security training!


To start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive on the printed circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale on


Figure 2: The website images matched the drive that the client received!


This USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.

To quickly get the payload off the USB drive we connected it to an air-gapped laptop that had Ubuntu installed while Wireshark captured traffic on the third USB bus and the active window was set Vim. We figured Vim could act as a rudimentary jail to capture traffic and that the intended target is the Windows OS. Sure enough, we were presented with the following payload.


Powershell Payload


Figure 3. Payload was intercepted through VIM and reveals an obfuscated PowerShell script


De-obfuscating the PowerShell command is a simple mono substitution cipher by which the cipher text ASCII table is shifted 1 step to the left. For example, to decode the character ‘j’ can be done by shifting 1 step backward and is equal to ‘i’, for ‘f’ is substituted by ‘e’ then ‘y’ = ‘x’ so on and so forth.


Decoding the payload
Figure 4. PowerShell command deobfuscated using CyberChef


The de-obfuscated string reveals a command that downloads the second stage PowerShell code from hxxps://milkmovemoney[.]com/st/mi.ini.



Figure 5. Downloaded 2nd Stage Powershell Code


Downloaded script
Figure 6


To summarize, this is the second stage PowerShell execution flow:

  1. Copy wscript.exe to %AppData%\Microsoft\Windows\wipre.exe
  2. Decode a JScript command and save it as prada.txt
  3. Execute prada.txt with the command “cmd.exe /c wipre.exe /e:jscript prada.txt”
  4. Show a fake message box warning
Fake Message Box
Figure 7. A convincing fake message box pops up


Javascript Payload

The Jscript code saved to prada.txt is the third stage payload. This is executed using the Windows built-in script host engine - wscript.exe.


Figure 8. de-obfuscated JScript saved as Prada.txt


The Jscript is mildly obfuscated using a simple variable substitution. The main function of this script is to register the infected host to the command and control (C&C) server with a unique ID, then in return, it receives an additional JScript code that is executed using eval() function.

Below is the step by step execution flow of the Jscript code:

  1. Generates a unique ID by getting the current UTC milliseconds
  2. Check if the script is in the folder %AppData%\Microsoft\Windows and delete itself if it is not
  3. Delay execution for 2 minutes
  4. Generate a data containing the following information:
    1. group : f1 (hardcoded)
    2. rt : 2 (hardcoded)
    3. secret : secret hash (hardcoded)
    4. time : 120000
    5. uniq_id : current UTC milliseconds
    6. id : MAC address and hostname (using WMI query)
  5. URL encode the data and XOR encode it using a random generated key.
  6. Append the generated XOR key to the encoded data delimited with “&_&”
  7. Form a HTTP POST body containing the parameter.
    1. kbaxmaconhuc=<encoded data+generated XOR key>
  8. Form a URL path:
    1. https://<command and control domain>/<random path>/<random file>/?type=name
  9. Send the data to the command and control URL as a HTTP POST raw body and using the following HTTP request header:
    1. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0'
    2. Content-Type: %application/x-www-form-urlencoded'
  10. Command and control responds an encoded JScript code
  11. Decode and execute Jscript code using eval()

In the event that the C&C server is alive, it will respond with an encoded data as shown in figure 9. The encoded data includes a XOR key to decode it. Data and the key is delimited with “&_&”  or URL encoded “%26_%26”. The decoded data reveals an additional Jscript code that will be executed in the infected host.


Encoded Data
Figure 9: The C&C server responded with this encoded data


The JScript code could be anything. But when we decoded it, it reveals a code that gathers system information from the infected host.


Figure 10: The deobfuscated JScript code that was part of the code sent by the C&C server


The following information is collected, encoded then sent back to the C&C server:

  • Username
  • Hostname
  • User’s System Privilege
  • Uses WMI query to get the:
    • Process owner
    • Domain name
    • Computer model
    • Operating system information
      • OS name
      • OS build
      • OS version
      • Memory capacity
      • Free memory available
      • OS registered user
      • OS registered organization
      • OS serial number
      • Last boot up time
      • Install date
      • OS architecture
      • OS product type
      • Language code
      • Time zone
      • Number of users
      • Desktop monitor type
      • Desktop resolution
      • UAC level privilege
    • Office and Adobe acrobat installation
    • List of running Processes (including PID)
    • Whether the infected host is running in a virtualized environment

After this gathered information is sent to C&C server. The main Jscript code enters an infinite loop sleeping for 2 minutes in each loop iteration then getting a new command from the command and control. Here is the full attack flow:


Attack_flowFigure 11: Attack Flow



In summary, once a USB controller chip is reprogrammed to unintended use (in this case as an emulated USB keyboard) these devices could be used to launch an attack and infect unsuspecting users’ computer without them realizing it.

These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals "in the wild." Since USB devices are ubiquitous, used, and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device.


bece1545132af25c68777fade707046c (2nd stage Powershell)
84d77a3b76ac690ce7a60199c88ceeb5 (prada.txt)


UPDATE 27.March.2020:

Since our initial publication, we've received confirmation from multiple sources that this campaign matches IOCs from similar campaigns from FIN7 ( FIN7 is a cybercriminal collective that has been targeting the hospitality and retail sectors since at least 2015.




In addition, anyone who receives a suspicious USB drive under similar circumstances, should contact their local FBI office at

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More