FIN7 and Bad USBs

Industry: Defense | Level: Tactical | Source: BleepingComputer

A flash alert from the Federal Bureau of Investigation (FBI) warns of targeted activity against US defense industries from FIN7 delivering malicious USB devices, spotted with logo "LilyGO" on the devices. The campaign appears to have been active since August 2021 with various impersonation attempts to lure victims. They pose as Amazon, the US Department of Health & Human Services (HHS), COVID-19 guideline details and thank you letters. The malicious USB devices contain a keylogger and setups malware payload that downloads to set up ransomware. Downloaded malware includes Metasploit, Cobalt Strike, Carbanak malware, Griffon backdoor, and PowerShell scripts.

• Anvilogic Use Cases:
• PowerShell Script Keylogger
• Executable File Written to Disk
• Executable Process from Suspicious Folder
• Wscript/Cscript Execution