{ "id": "27a05316-778b-4b46-b3e2-48d1fd804973", "created_at": "2026-04-06T00:18:07.092279Z", "updated_at": "2026-04-10T03:35:53.200929Z", "deleted_at": null, "sha1_hash": "1de735cd400ee59213367edbbf9902a30412e58b", "title": "Would You Exchange Your Security for a Gift Card?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64311, "plain_text": "Would You Exchange Your Security for a Gift Card?\r\nBy Alejandro Baca, Rodel Mendrez\r\nPublished: 2020-03-26 · Archived: 2026-04-05 19:01:29 UTC\r\nMarch 26, 2020 4 Minute Read\r\nUPDATED March 27, 2020\r\nOverview\r\nWe often talk about attackers targeting companies with social engineering attacks. These usually take the form of\r\nphishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious\r\nlink. Less discussed are targeted attacks using physical media. Penetration Testers that perform physical \"pentests\"\r\nare well versed in dropping \"malicious\" USB sticks in a target's parking lot or waiting room. More complex are\r\nso-called \"Rubber Ducky\" (https://github.com/hak5darren/USB-Rubber-Ducky/wiki) attacks, where what looks\r\nlike a USB stick is actually, in effect, a malicious USB keyboard preloaded with keystrokes. Those types of\r\nattacks are typically so explicitly targeted that it's rare to find them coming from actual attackers in the wild. Rare,\r\nbut still out there.\r\nThe Attack\r\nThis letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. Included in this letter is\r\nseemingly a USB drive that claims to contain a list of items to spend on. Very nice gesture!\r\nGift Card Letter\r\nFigure 1. Suspicious Best Buy gift card containing a malicious USB device\r\nOne of our digital forensics and incident response retainer clients brought this device to our attention. One of their\r\nbusiness associates received this suspicious letter. Fortunately, our client and their associate did not plug the drive\r\ninto any computer. Thank you, security training!\r\nAnalysis\r\nTo start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive on the\r\nprinted circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB\r\nATMEGA32U4” for sale on shopee.tw.\r\nBadUSB\r\nFigure 2: The website images matched the drive that the client received!\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/\r\nPage 1 of 5\n\nThis USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB\r\nkeyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can\r\nautomatically inject malicious commands.\r\nTo quickly get the payload off the USB drive we connected it to an air-gapped laptop that had Ubuntu installed\r\nwhile Wireshark captured traffic on the third USB bus and the active window was set Vim. We figured Vim could\r\nact as a rudimentary jail to capture traffic and that the intended target is the Windows OS. Sure enough, we were\r\npresented with the following payload.\r\nPowershell Payload\r\nPayload\r\nFigure 3. Payload was intercepted through VIM and reveals an obfuscated PowerShell script\r\nDe-obfuscating the PowerShell command is a simple mono substitution cipher by which the cipher text ASCII\r\ntable is shifted 1 step to the left. For example, to decode the character ‘j’ can be done by shifting 1 step backward\r\nand is equal to ‘i’, for ‘f’ is substituted by ‘e’ then ‘y’ = ‘x’ so on and so forth.\r\nDecoding the payload\r\nFigure 4. PowerShell command deobfuscated using CyberChef\r\nThe de-obfuscated string reveals a command that downloads the second stage PowerShell code from\r\nhxxps://milkmovemoney[.]com/st/mi.ini.\r\nDeobfus\r\nFigure 5. Downloaded 2nd Stage Powershell Code\r\nDownloaded script\r\nFigure 6\r\nTo summarize, this is the second stage PowerShell execution flow:\r\n1. Copy wscript.exe to %AppData%\\Microsoft\\Windows\\wipre.exe\r\n2. Decode a JScript command and save it as prada.txt\r\n3. Execute prada.txt with the command “cmd.exe /c wipre.exe /e:jscript prada.txt”\r\n4. Show a fake message box warning\r\nFake Message Box\r\nFigure 7. A convincing fake message box pops up\r\nJavascript Payload\r\nThe Jscript code saved to prada.txt is the third stage payload. This is executed using the Windows built-in script\r\nhost engine - wscript.exe.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/\r\nPage 2 of 5\n\nPrada.txt\r\nFigure 8. de-obfuscated JScript saved as Prada.txt\r\nThe Jscript is mildly obfuscated using a simple variable substitution. The main function of this script is to register\r\nthe infected host to the command and control (C\u0026C) server with a unique ID, then in return, it receives an\r\nadditional JScript code that is executed using eval() function.\r\nBelow is the step by step execution flow of the Jscript code:\r\n1. Generates a unique ID by getting the current UTC milliseconds\r\n2. Check if the script is in the folder %AppData%\\Microsoft\\Windows and delete itself if it is not\r\n3. Delay execution for 2 minutes\r\n4. Generate a data containing the following information:\r\n1. group : f1 (hardcoded)\r\n2. rt : 2 (hardcoded)\r\n3. secret : secret hash (hardcoded)\r\n4. time : 120000\r\n5. uniq_id : current UTC milliseconds\r\n6. id : MAC address and hostname (using WMI query)\r\n5. URL encode the data and XOR encode it using a random generated key.\r\n6. Append the generated XOR key to the encoded data delimited with “\u0026_\u0026”\r\n7. Form a HTTP POST body containing the parameter.\r\n1. kbaxmaconhuc=\r\n8. Form a URL path:\r\n1. https:/// / /?type=name\r\n9. Send the data to the command and control URL as a HTTP POST raw body and using the following HTTP\r\nrequest header:\r\n1. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0'\r\n2. Content-Type: %application/x-www-form-urlencoded'\r\n10. Command and control responds an encoded JScript code\r\n11. Decode and execute Jscript code using eval()\r\nIn the event that the C\u0026C server is alive, it will respond with an encoded data as shown in figure 9. The encoded\r\ndata includes a XOR key to decode it. Data and the key is delimited with “\u0026_\u0026”  or URL encoded “%26_%26”.\r\nThe decoded data reveals an additional Jscript code that will be executed in the infected host.\r\nEncoded Data\r\nFigure 9: The C\u0026C server responded with this encoded data\r\nThe JScript code could be anything. But when we decoded it, it reveals a code that gathers system information\r\nfrom the infected host.\r\nFigure9\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/\r\nPage 3 of 5\n\nFigure 10: The deobfuscated JScript code that was part of the code sent by the C\u0026C server\r\nThe following information is collected, encoded then sent back to the C\u0026C server:\r\nUsername\r\nHostname\r\nUser’s System Privilege\r\nUses WMI query to get the:\r\nProcess owner\r\nDomain name\r\nComputer model\r\nOperating system information\r\nOS name\r\nOS build\r\nOS version\r\nMemory capacity\r\nFree memory available\r\nOS registered user\r\nOS registered organization\r\nOS serial number\r\nLast boot up time\r\nInstall date\r\nOS architecture\r\nOS product type\r\nLanguage code\r\nTime zone\r\nNumber of users\r\nDesktop monitor type\r\nDesktop resolution\r\nUAC level privilege\r\nOffice and Adobe acrobat installation\r\nList of running Processes (including PID)\r\nWhether the infected host is running in a virtualized environment\r\nAfter this gathered information is sent to C\u0026C server. The main Jscript code enters an infinite loop sleeping for 2\r\nminutes in each loop iteration then getting a new command from the command and control. Here is the full attack\r\nflow:\r\nAttack_flowFigure 11: Attack Flow\r\nConclusion\r\nIn summary, once a USB controller chip is reprogrammed to unintended use (in this case as an emulated USB\r\nkeyboard) these devices could be used to launch an attack and infect unsuspecting users’ computer without them\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/\r\nPage 4 of 5\n\nrealizing it.\r\nThese types of USB devices are widely known and used by security professionals. The fact that they are also\r\ncheap and readily available to anyone meant that it was just a matter of time to see this technique used by\r\ncriminals \"in the wild.\" Since USB devices are ubiquitous, used, and seen everywhere, some consider them\r\ninnocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story\r\nteaches us anything, it's that one should never trust such a device.\r\nIOCs\r\nbece1545132af25c68777fade707046c (2\r\nnd\r\nstage Powershell)\r\n84d77a3b76ac690ce7a60199c88ceeb5 (prada.txt)\r\nUPDATE 27.March.2020:\r\nSince our initial publication, we've received confirmation from multiple sources that this campaign matches IOCs\r\nfrom similar campaigns from FIN7 (https://attack.mitre.org/groups/G0046/). FIN7 is a cybercriminal collective\r\nthat has been targeting the hospitality and retail sectors since at least 2015.\r\nFIN7_twitter\r\nIn addition, anyone who receives a suspicious USB drive under similar circumstances, should contact their local\r\nFBI office at https://www.fbi.gov/contact-us/field-offices.\r\nStay Informed\r\nSign up to receive the latest security news and trends straight to your inbox from LevelBlue.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/" ], "report_names": [ "would-you-exchange-your-security-for-a-gift-card" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434687, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1de735cd400ee59213367edbbf9902a30412e58b.pdf", "text": "https://archive.orkl.eu/1de735cd400ee59213367edbbf9902a30412e58b.txt", "img": "https://archive.orkl.eu/1de735cd400ee59213367edbbf9902a30412e58b.jpg" } }