Cyber Security

Beware! Hackers Deliver USB Devices Containing Malware Using Best Buy Gift Cards

Hackers distribute malicious USB devices as a gift card from Best Buy for its loyal customers as an attempt to trick the victim’s in using the device.

Letter with USB

Trustwave found such a letter through their client and analyze the USB device further by plugging in air-gapped computers.

BadUSB Device

By observing the serial numbers and other information embedded in the device such as the serial number “HW-374” and by checking in Google researchers found a “BadUSB Leonardo USB ATMEGA32U4” for sale on shopee[.]tw website.

Advertised in website

The USB device contains an Arduino microcontroller ATMEGA32U4 designed to work as a USB keyboard. Once it gets injected in the device it injects various malicious PowerShell commands.

Then it PowerShell commands download a JScript command and save it as prada.txt which is the third level payload.

The JScript is obfuscated and its primary function is to register the infected host with the command and control (C&C) server with a unique ID.

The JScript function is to gather the system information from the infected host. It gathers all the information about the affected host and sends it to the C&C server.

Following are the information it collects

Data Collected
  • Username
  • Hostname
  • User’s System Privilege
  • Uses WMI query to get the:
  • Process owner
  • Domain name
  • Computer model
  • Operating system information
  • OS name
  • OS build
  • OS version
  • Memory capacity
  • Free memory available
  • OS registered user
  • OS registered organization
  • OS serial number
  • Last boot uptime
  • Install date
  • OS architecture
  • OS product type
  • Language code
  • Time zone
  • Number of users
  • Desktop monitor type
  • Desktop resolution
  • UAC level privilege
  • Office and Adobe acrobat installation
  • List of running Processes (including PID)
  • Whether the infected host is running in a virtualized environment

After processing every command the JScript sleeps for two minutes and then gets the new command from the C&C server.

Here is the full attack chain.

Infection Chain
  1. BadUSB distributed through gift cards.
  2. BadUSB plugged in with the Laptop
  3. Get’s recognized as a trusted USB device.
  4. Types in the PowerShell command.
  5. Executes stage 2 PowerShell script.
  6. Malware get’s installed in the system.
  7. Unpacks JScript command and save it as prada.txt
  8. Executes malware.

The USB devices are often used by security professionals for conducting physical pentests, these devices are dropped in parking lots or waiting rooms.

Attackers generally use spam email campaigns as a method to distribute malware, but here they have used the USB method to deliver the malware.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago