Malware, Endpoint/Device Security, Network Security

FIN7 cybercrime group sending USB devices to US companies

The FIN7 cyber gang is sending malicious USB devices to U.S. companies, the FBI warned in an alert. (“Man holding a USB drive in hand. Handing over top secret data” by Ivan Radic is licensed under CC BY 2.0)

The FBI has notified U.S. organizations that the FIN7 cybercrime group is sending out malicious USB devices with the intent to infect their systems with malware, according to multiple news outlets.

In a security alert, the law enforcement agency says businesses in the transportation, insurance and defense industries since August 2021 have reported receiving packages containing the devices through the U.S. Postal Service and UPS, according to The Record, a news site by cybersecurity firm Recorded Future. 

One variation of the campaign imitates the Department of Health and Human Services and is sent with letters referencing COVID-19 guidelines. Another variation poses as an Amazon gift box with a thank-you letter and a counterfeit gift card. 

Both packages contained LilyGO-branded USB devices that, if inserted into a computer, executed a BadUSB attack that gave FIN7 actors administrative access and lateral movement across systems using a variety of tools — such as Metasploit, Cobalt Strike and PowerShell scripts — to deploy ransomware, including BlackMatter and REvil.

The notorious FIN7 group was recently identified as creating a fraudulent pentesting company and “hiring” unsuspecting IT specialists to compromise their victims, SC Media reported in November.

The group reportedly operates out of Russian territory and was tied to a similar BadUSB attack in 2020 that targeted hospitality providers in the United States with a USB drive and letter posing as retailer Best Buy, along with a $50 gift card, according to cybersecurity firm Trustwave.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.