The FBI is warning of a new wave of attacks carried out by the FIN7 APT group that is sending to the victims devices acting as a keyboard (HID Emulator USB) when plugged into a computer.
One of these attacks was analyzed by experts from Trustwave, one of the clients of the
The packages have been sent to several businesses, including
It is quite easy to find development boards like Arduino that could be configured to emulate a human interface device (HID) such as keyboards and launch a pre-configured set of keystrokes to load and execute any sort of malware.
“To start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive
“This USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust
“After this gathered information is sent to C&C server. The main
“In summary, once a USB controller chip is reprogrammed to unintended use (in this case as an emulated USB keyboard) these devices could be used to launch an attack and infect unsuspecting users’ computer without them realizing it.” concludes Trustwave.
“These types of USB devices are widely known and used by security professionals. The fact that they are also
“The fact that FIN7 and other cyber gangs started conducting attacks via USB sticks suggests that the defenses against spear-phishing are exponentially improving,” said Bongiorni.
“Probably soon, attackers will move from simple USB sticks to more advanced solutions like a USB cable (e.g. #USBsamurai or #EvilCrow). Using a “malicious implant” inside them attackers could conduct BADUSB type attacks. Let’s think of a mouse or a USB fan embedding #WHIDelite.“
An example of remote control via GSM network via a USB keyboard inside which a #WHIDelite is available here: