#Privacy: Malicious USB drive sent to customers

Security experts have discovered a highly targeted attack using physical media to spread and download malware. 

In a blog post, Trustwave explained it had become aware of the attack after one of its customers’ partners had received a suspicious letter claiming to be from Best Buy. 

The letter says: “Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick.”

An analysis found that the USB drive utilises an Arduino microcontroller ATMEGA32U4 and is programmed to emulate a USB keyboard. 

“Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands,” Trustwave explained. 

A PowerShell payload designed to install second stage PowerShell code from the internet, which then downloads malicious JavaScript was discovered. 

“The JScript code could be anything. But when we decoded it, it reveals a code that gathers system information from the infected host.”

Collected information include; username, hostname, user’s system privilege, domain name, computer model, operating system information and more. All of which is encoded and then sent back to the C&C server. 

After the information is sent to the C&C server, the main JavaScript code enters an infinite loop, sleeping for two minutes in each loop iteration then receiving a new command from the command and control. 

“These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals ‘in the wild’,” Trustwave concluded. 

“Since USB devices are ubiquitous, used, and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it’s that one should never trust such a device.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/