Rare phishing attack: company delivered malware-laden USB drive

The so-called BadUSB attack executed with the help of a letter that included a gift card from BestBuy

BadUSB delivered to a company

BadUSB delivered to a company

Trustwave security research team published an article about a relatively rare malware distribution case.[1] A physical USB drive was sent to an undisclosed US hospitality company – it also included a brief notification. Inside the letter with a BestBuy logo, the sender claimed that a $50-worth of a gift card is provided for the company’s loyal customers, and items can be chosen from a list provided inside the USB stick, which should be plugged into a computer.

The company did not give in to the phishing attempt and contacted security experts at Trustwave instead, who revealed that the firm encountered a so-called BadUSB attack. The technique allows malicious actors to hack firmware within the device, altering its functionality altogether. As it turned out, the sent USB drive was boobytrapped with a function that would emulate keyboard presses on the affected computer, executing malicious commands in the background and downloading an unknown malware as a final payload.

Trustwave researchers said that such attacks are extremely rare, although possible nonetheless:

More complex are so-called “Rubber Ducky” attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes. Those types of attacks are typically so explicitly targeted that it’s rare to find them coming from actual attackers in the wild. Rare, but still out there.

Phishing and hacking employed to deliver malware

There are many attack vectors in the wild that are used by cybercriminals to infect organisations worldwide with ransomware or data stealing malware. In all cases, threat actors seek to harvest the sensitive company information for blackmail[2] or sell it online for profit. In any case, the ultimate goal of hackers most often than not is monetary gain, and new techniques are developed to deliver malware that could help them reach their goals.

Online phishing is one of the most commonly used tactics – the deceptive messages are delivered through malicious emails or hacked websites. However, in this case, company received a real-life, physical letter that included a fake message inside – it is quite unusual. Inside was the alleged BestBuy gift card:

February 12, 2020

Dear XXX,

Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick.

Thank you again for choosing us!


Jonas Nills,
Customer Relations

Using well-known company names inside a scam email is relatively common, although it is not common to send that letter in the mail.

Inside the BadUSB – JScript bot malware

To begin the analysis, researchers looked at the USB stick by using serial numbers and similar data. They soon found that the device is sold online under the name “BadUSB Leonardo USB ATMEGA32U4” and that the Arduino microcontroller is used to emulate a USB keyboard, which would function immediately after connecting it to a computer.

According to Trustwave tests, the plugged-in USB stick would emulate keyboard presses to launch a PowerShell command, which would then download another script on the system. Once executed, it would contact a remote server and download JScript-based malware. At this point, victims are shown a fake pop-up that the connected USB device malfunctioned, and Windows cannot recognize it. The latter is just another technique to prevent users from recognizing malicious activity performed in the background.

Once installed, malware would generate a unique ID and connect the computer to a C&C server – all the communication is also encrypted with the XOR algorithm.[3] During its communication routine, the JScript code is sent over, and it can be programmed to do anything. When experts analyzed the code, they saw that this version was designed to collect information like username, system privilege, OS data, computer model, list of running processes, and much more.

Considering that this JScript bot gathers a variety of information, its main function is most likely to escalate privileges and then deliver additional malware payload – all while victims know nothing about the attack.

While it is yet unknown who is the behind the attack (although some researchers name criminal gang FIN7[4] as a culprit),[5] this BadUSB attack proves that physical items can be used in a clever scheme to deliver all types of malware via the USB device, so they should not be easily trusted.