FIN7 Uses Flash Drives to Spread Remote Access Trojan

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Executive Summary

Recorded Future analysts continue to monitor the activities of the FIN7 group as they adapt and expand their cybercrime operations. Gemini has conducted a more in-depth investigation into these types of attack after a Gemini source provided analysts with a file sketch_jul31a.ino, which was linked to FIN7's BadUSB attacks. The file had the extension (.INO), indicating it contained the source code for an Arduino “sketch” (the Arduino term for a program). BleepingComputer also recently released a public report on FIN7’s use of the "BadUSB" attack method, outlining the activity around this type of attack. 

The Arduino platform provides a common set of software utilities and libraries for constructing programs to run on platform-compatible microcontrollers. The platform uses a simplified version of the C++ programming language and provides foundational libraries, an integrated development environment for constructing the sketch, a compiler, and a means of uploading the compiled sketch to a device with a compatible microcontroller. In the Arduino ecosystem, the microcontroller executes the compiled sketch, making it operating system (OS) agnostic.

Hackers have leveraged the Arduino platform to create trojanized USB devices that emulate keyboards and inject keystrokes. In most cases, the sketches on these trojanized devices connect to a malicious actor’s file repository, download additional software, and install it on the victim system. In March 2020, security analysts from Trustwave SpiderLabs reported that FIN7 targeted a US company by sending one of its employees a USB device trojanized with keystroke injection malware.

Key Findings

• FIN7 used an Arduino sketch file called "sketch_jul31a.ino" to install malware on USB devices as part of BadUSB attacks.
• FIN7 uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT), resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
• We identified 9 IP addresses that host FIN7’s malicious payloads and 3 FIN7 command-and-control (C2) servers, one of which contains a control panel for managing infected systems. The control panel displayed a list of systems infected with the IceBot RAT and pertinent information about each installation.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.