The use of trojanized USB devices for keystroke injection is not a new technique, even for FIN7. Typically the attack targets specific persons with access to the computer systems of the intended victim company. As FIN7 has recently ventured into ransomware, it makes sense for them to look for alternative avenues of infecting computers that are monitored by layers of protective systems, such as firewalls, email scanners, proxy servers, and endpoint security. The tactics and techniques involved in trojanized USB attacks enable FIN7 actors to avoid many of these network-level and endpoint protections by dispensing with malware transmission over the network, minimizing the use of files on disk and employing multiple layers of encoding of the malware’s scripts and executable code.
Pertinently, FIN7 recently created “Bastion Secure”, a fake information security company, and employed system administrators to unknowingly assist in system exploitation. It is possible that trojanized USBs are being constructed and used by these administrators for penetration testing. Alternatively, they might also be providing trojanized USBs to clients or prospective clients through some form of ruse (for example, telling the client it contains documentation on the fake company’s services). In either case, the clients or prospective clients could become victims of a trojanized USB attack, resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
Gemini Advisory Mission Statement