The FIN7 cybercriminal group has recently targeted the defense industry with malicious USB devices to deploy ransomware. In this event, the FIN7 group has been sending malicious USB devices to US companies in the past few months to infect their computer systems with ransomware.
Since August 2021, the FBI has received reports of several suspicious packages like these that contain these malicious USB devices, and all these malicious USB devices were sent to the following departments of the US:-
- Defense business organization
While here the operators of the FIN7 group have used the US Postal Service and the United Parcel Service to send all these parcels to their targets or victims.
Types of Packages Sent
The threat actors have sent two types of packages with these malicious USB devices, but how they are different?
The packages sent by the hackers were allegedly sent from the US Department of Health and Human Services, and not only that even they were accompanied by letters with links to recommendations on the topic of coronavirus infection (COVID-19) attached to USB drives.
While the other packages that were sent, are disguised as Amazon parcels by the attackers in the form of a gift box containing the following things:-
- Forged thank you notes.
- A fake gift card.
- A malicious USB device.
However, here, in both cases, one thing is common, the brand of USB devices, as in this event, the threat actors have used LilyGO branded USB devices.
Hackers deployed BlackMatter or REvil Ransomware
Once the target receives and connects the malicious USB drive to their system, the malicious USB devices automatically start executing a BadUSB attack.
At this point, a series of pre-configured automatic keystrokes were sent to the user’s PC since this malicious USB drive record itself as a keyboard Human Interface Device (HID). After this, the keystrokes launch the PowerShell commands that downloads and install several types of malware on the targets’ systems.
By following the above things the attackers gain administrative access and then laterally make their pathway to the other local systems.
To achieve this, the operators of the FIN7 hacking group have used several malicious tools, scripts, and ransomware on the compromised network of their targets, and here they are:-
- Cobalt Strike
- PowerShell scripts
- BlackMatter ransomware
- REvil ransomware
Step-by-step Execution of the Jscript code
- Generates a unique ID by getting the current UTC milliseconds
- Check if the script is in the folder %AppData%\Microsoft\Windows and delete itself if it is not
- Delay execution for 2 minutes
- Generate a data containing the following information:
- group : f1 (hardcoded)
- rt : 2 (hardcoded)
- secret : secret hash (hardcoded)
- time : 120000
- uniq_id : current UTC milliseconds
- id : MAC address and hostname (using WMI query)
- URL encode the data and XOR encode it using a random generated key.
- Append the generated XOR key to the encoded data delimited with “&_&”
- Form a HTTP POST body containing the parameter.
- kbaxmaconhuc=<encoded data+generated XOR key>
- Form a URL path:
- https://<command and control domain>/<random path>/<random file>/?type=name
- Send the data to the command and control URL as a HTTP POST raw body and using the following HTTP request header:
- User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0′
- Content-Type: %application/x-www-form-urlencoded’
- Command and control responds an encoded JScript code
- Decode and execute Jscript code using eval()
Moreover, the cybercriminal group, FIN7 has also organized similar malicious campaigns earlier, as they sent several parcels of gift certificates and stuffed animals to its victims in 2020.