The FBI has notified U.S. organizations that the FIN7 cybercrime group is sending out malicious USB devices with the intent to infect their systems with malware, according to multiple news outlets.
In a security alert, the law enforcement agency says businesses in the transportation, insurance and defense industries since August 2021 have reported receiving packages containing the devices through the U.S. Postal Service and UPS, according to The Record, a news site by cybersecurity firm Recorded Future.
One variation of the campaign imitates the Department of Health and Human Services and is sent with letters referencing COVID-19 guidelines. Another variation poses as an Amazon gift box with a thank-you letter and a counterfeit gift card.
Both packages contained LilyGO-branded USB devices that, if inserted into a computer, executed a BadUSB attack that gave FIN7 actors administrative access and lateral movement across systems using a variety of tools — such as Metasploit, Cobalt Strike and PowerShell scripts — to deploy ransomware, including BlackMatter and REvil.
The notorious FIN7 group was recently identified as creating a fraudulent pentesting company and “hiring” unsuspecting IT specialists to compromise their victims, SC Media reported in November.
The group reportedly operates out of Russian territory and was tied to a similar BadUSB attack in 2020 that targeted hospitality providers in the United States with a USB drive and letter posing as retailer Best Buy, along with a $50 gift card, according to cybersecurity firm Trustwave.