Beware of Fake Gift Cards Coming With USB Drives

  • Actors are circulating pentest USB drives claiming that they contain a list of products eligible to get for free from “Best Buy”.
  • The USB drive can fetch various payloads, run commands through keyboard emulation, and send information back to the actors.
  • Users should never plug in unknown USB drives on their systems just out of curiosity to see what they contain.

There’s a new trend in social engineering attacks, where actors are sending out fake “Best Buy” $50 gift cards to companies and individuals. With everyone staying home right now, online shopping is thriving, so these attacks are finding a better condition for success. Inside the letter, the actors have included a USB drive that supposedly contains a list of items that are eligible for purchase by using the gift card. Anyone in their right mind would immediately realize that there is no valid reason in the world to include a USB stick on the letter only to detail the list of items that the customer can choose from.

Indeed, the USB isn’t there to help you with the shopping but to emulate a USB keyboard and run malicious commands on your system as soon as you plug it in. The actors can buy it online for approximately $7, so it is worth the investment if they manage to steal a lot more valuable information from the victim. Once plugged, the USB copies “wscript.exe” to %AppData%\Microsoft\Windows\wipre.exe, decodes the malicious JavaScript payload, saves it as “prada.txt”, executes it, and finally displays a fake warning message saying that Windows hasn’t recognized the USB device due to a malfunction.

script
Source: Trustwave Blog

The payload used in this case is gathering system information from the infected computer and sends it to the designated C&C server. Of course, the payload could be anything, and the C2 infrastructure can easily change too. The information that is collected and sent to the actors includes the following:

  • Username
  • Hostname
  • User’s System Privilege
  • All WMI query results (computer specs and usage logs)
  • Office and Adobe acrobat installation
  • List of running Processes (including PID)
  • Whether the infected host is running in a virtualized environment

code
Source: Trustwave Blog

Once this is done, the payload enters a 2-minute cycling infinite loop and remains able to receive new commands from the C2, fetch new payloads, send new data, execute more files, etc.

flow
Source: Trustwave Blog

That said, if you receive a USB drive in any form, avoid plugging it in. These devices may be ubiquitous, but that doesn’t make them safe. Even if you trust your AV tool, or if you’re using Linux, or if you’ve set up a sandbox environment to mount the drive, the pen drive could be a kill stick that will fry your computer’s electronics. Just don’t trust them and resist giving in to your intrinsic curiosity.

REVIEW OVERVIEW

Recent Articles

10 Best Ultrawide Gaming Monitors in 2020

Ultrawide monitors are a relatively new trend in the world of computers, mainly because the technology required to make them feasible was not mature...

More Than 15 Billion Stolen Credentials Are Circulating Out There

Stolen credentials are sold by the billions today, as we have about 185 data breaches per day. Almost one-third of the stolen...

Here’s What We Know About Kilos, the Biggest Dark Web Market

One of the most infamous sites on the Dark Web was a search engine known as "Grams." Launched in 2014, Grams allowed users to search...

Zoom Announced the Launch of Its “Hardware as a Service” Program

Zoom calls companies to consider renting teleconferencing equipment from them and launches a new program. The hardware manufacturers that will support the...

The U.S. Copyright Office Says Pirates Shouldn’t Lose Their Internet Connection

Breaking the law is condemnable, but barring someone out of the internet world is unconstitutional. The U.S. Copyright Office is calling the...