As recently as November 2021, the FBI has observed the cyber criminal group known as FIN7 targeting the US defense industry with a package containing a fraudulent thank you letter, counterfeit Amazon gift card, and a USB device. The enclosed USB provided by the group is a commercially available device known as a “BadUSB” or “Bad Beetle USB,” typically with the logo “LilyGO.” When plugged into a computer system, the USB device automatically injects a series of keystrokes in order to download and execute a malware payload. FIN7 seeks to deploy ransomware within a compromised network using a variety of tools including Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, and TIRION for financial gain.
Indicators
Packages with the USB device may include letters, gift cards, and other miscellaneous items. The USB devices may also have the recipient’s name written on them with a marker. The USB device, known as “BadUSB” or “Bad Beetle USB,” is commonly available for purchase on the Internet. There are many types of “BadUSB” products available. Several of the received “BadUSB” devices were “LilyGO” devices, which are available for shipping to the United States from China. All of the USB devices observed by the FBI to date were silver with a swivel cover.
Example #1
The first variation of the mailings contained a letter imitating HHS and referencing COVID-19 guidelines, also accompanied by a USB.
Example #2
The second variation of the mailings used a decorative box containing a fraudulent thank you letter imitating Amazon with a counterfeit gift card and a USB device.
If you receive a similar package, please ask the Help Desk to report it to Cybersecurity.
