Rewterz Threat Alert – FIN7 Delivers Griffon backdoor over posted USB Keys

Severity

High

Analysis Summary

Fin7 APT group has used an old and rare but effective technique of “Rubber Ducky” attacks, where what looks like a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes. Those types of attacks are typically so explicitly targeted that it’s rare to find them coming from actual attackers in the wild. Rare, but still out there.

The Attack

This letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. Included in this letter is seemingly a USB drive that claims to contain a list of items to spend on.

This USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.

Impact

• Information theft
• Exposure of sensitive data.

Indicators of Compromise

Domain Name

• milkmovemoney[.]com

MD5

• 84d77a3b76ac690ce7a60199c88ceeb5
• bece1545132af25c68777fade707046c

URL

• http[:]//milkmovemoney[.]com/st/mi[.]ini

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.