{ "id": "3eaf90f2-2b2a-4044-b049-f11bdf1caf46", "created_at": "2026-04-06T00:18:54.296762Z", "updated_at": "2026-04-10T03:35:52.900933Z", "deleted_at": null, "sha1_hash": "3816ba3c0dfaf69558454dad8b632d54e63fe578", "title": "FIN7 Uses Flash Drives to Spread Remote Access Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84224, "plain_text": "FIN7 Uses Flash Drives to Spread Remote Access Trojan\r\nPublished: 2022-01-13 · Archived: 2026-04-05 19:19:06 UTC\r\n01/13/2022\r\nExecutive Summary\r\nRecorded Future analysts continue to monitor the activities of the FIN7 group as they adapt and expand their\r\ncybercrime operations. Gemini has conducted a more in-depth investigation into these types of attack after a\r\nGemini source provided analysts with the file “sketch_jul31a.ino”, which was linked to FIN7’s BadUSB attacks.\r\nThe file had the extension (.INO), indicating it contained the source code for an Arduino “sketch” (the Arduino\r\nterm for a program). BleepingComputer also recently released a public report on FIN7’s use of the “BadUSB”\r\nattack method, outlining the activity around this type of attack. \r\nThe Arduino platform provides a common set of software utilities and libraries for constructing programs to run\r\non platform-compatible microcontrollers. The platform uses a simplified version of the C++ programming\r\nlanguage and provides foundational libraries, an integrated development environment for constructing the sketch,\r\na compiler, and a means of uploading the compiled sketch to a device with a compatible microcontroller. In the\r\nArduino ecosystem, the microcontroller executes the compiled sketch, making it operating system (OS) agnostic.\r\nHackers have leveraged the Arduino platform to create trojanized USB devices that emulate keyboards and inject\r\nkeystrokes. In most cases, the sketches on these trojanized devices connect to a malicious actor’s file repository,\r\ndownload additional software, and install it on the victim system. In March 2020, security analysts from\r\nTrustwave SpiderLabs reported that FIN7 targeted a US company by sending one of its employees a USB device\r\ntrojanized with keystroke injection malware.\r\nKey Findings\r\nFIN7 used an Arduino sketch file called “sketch_jul31a.ino” to install malware on USB devices as part of\r\nBadUSB attacks.\r\nFIN7 uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT), resulting\r\nin FIN7 gaining unauthorized remote access to systems within victims’ networks.\r\nWe identified 9 IP addresses that host FIN7’s malicious payloads and 3 FIN7 command-and-control (C2)\r\nservers, one of which contains a control panel for managing infected systems. The control panel displayed\r\na list of systems infected with the IceBot RAT and pertinent information about each installation.\r\nAttack Analysis\r\nGemini specialists conducted the analysis of the file “sketch_jul31a.ino”. “.INO” is a file extension associated\r\nwith the Arduino microcontroller programming platform, while “sketch” is the platform’s term for a program.\r\nMalicious actors have taken advantage of the Arduino platform and its support for microcontrollers installed on\r\nhttps://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nPage 1 of 6\n\nUSB devices to install malware. When a USB is maliciously used as a virtual keyboard, the attack is called a\r\n“keystroke injection”, “BadUSB”, or “Rubber Ducky” attack.\r\nFigure 1: The attack flow of the Fin7 USB attack (Source: Recorded Future)\r\nThis attack’s use of keyboard injection capitalizes on Microsoft Windows’ default behavior of automatically\r\ntrusting USB keyboards. It uses Arduino-compatible microcontrollers that are hidden in what appear to be typical\r\nUSB devices but are actually programmed to function as virtual keyboards (usually based on ESP8266,\r\nAtmega32u4, or ATtiny85 microcontrollers). The sketch sends keystrokes to activate a shell and execute\r\nadditional commands on the victim system.\r\nFigure 2: Arduino sketch source code from the file “sketch_jul31a.ino” (Source: Recorded Future)\r\nThe “sketch_jul31a.ino” file (Figure 2) contains the source code for an Arduino sketch designed to run scripts on a\r\nWindows system. First, the sketch opens the “Run” dialog by sending the “Windows” + “R” keys. Next, it sends\r\nthe keystrokes for “cmd.exe” to the “Run” dialog to execute a command prompt. The sketch then sends keystrokes\r\nhttps://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nPage 2 of 6\n\nto execute “powershell.exe -w h -command Invoke-Expression”, which runs the PowerShell interpreter in a\r\nhidden window and executes a script that is passed in-line. This script downloads and installs malware from the IP\r\naddress 206.54.190[.]230. As shown in the table below, further analysis revealed 8 additional IP addresses used to\r\nhost FIN7’s malicious payload.\r\nIP Address First Seen Last Seen\r\n138.124.180[.]127 2021-07-29 12:26:10 2021-08-10 12:03:34\r\n185.232.170[.]24 2021-07-29 9:21:31 2021-10-21 13:03:42\r\n185.233.80[.]149 2021-07-29 9:50:26 2021-10-21 14:38:00\r\n185.53.46[.]100 2021-07-29 13:47:48 2021-11-20 10:08:13\r\n206.54.191[.]37 2021-07-29 12:37:53 2021-10-21 16:13:58\r\n37.1.213[.]194 2021-07-29 10:48:31 2021-08-10 9:26:01\r\n45.142.215[.]148 2021-10-21 15:17:31 2021-10-21 15:17:31\r\n5.252.177[.]215 2021-07-29 14:18:09 2021-10-21 11:20:57\r\nFigure 3: Contents of the downloaded file wis.txt (Source: Recorded Future)\r\nAfter downloading the file “wis.txt” from the malicious server, the PowerShell script decodes the file via the\r\ncommand “certutil -decode hex”, a command-line program and routine that is part of Microsoft Windows\r\nCertificate Services. The decoding results in another PowerShell script, saved to “C:\\windows\\temp\\wis.ps1”. \r\nhttps://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nPage 3 of 6\n\nFigure 4: Result of hex-decoding wis.txt into wis.ps1 (Source: Recorded Future)\r\nThis script contains a large block of compressed data, which the script decompresses using the PowerShell\r\nIO.Compression.DeflateStream routine. The result is a .NET assembly (executable module), which the script loads\r\ninto the current execution context through a call to Reflection.Assembly::Load.\r\nFigure 5: The function for decoding and decrypting the reflective loader shellcode, rewritten to Python. (Source:\r\nRecorded Future)\r\nOnce loaded, the .NET assembly decodes a block of data that has been XOR-obfuscated with the key\r\n“qawsed1q2w3e”. The result is a reflective loader shellcode that installs the IceBot Remote Access Trojan (RAT),\r\npreviously known as Lizar, Tirion, and Diceloader.\r\nRemote Access Trojan Analysis\r\nThe RAT executable dropped by “sketch_jul31a.ino” contains 2 command-and-control (C2) addresses:\r\n199.80.55[.]66 and 207.246.92[.]213. Analysis of the fingerprints for these 2 IP addresses reveals an additional C2\r\nserver hosted on IP 185.250.151[.]126, and we were able to view the C2 control panel.\r\nhttps://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nPage 4 of 6\n\nFigure 6: Hex View snapshot of IceBot showing C2 IP addresses (Source: Recorded Future)\r\nFigure 7: The main window of the control panel of IceBot version 2.1.1. The IP address of the C2 server is\r\n185.250.151[.]126:443. (Source: Recorded Future)\r\nThe control panel displays a list of systems infected with the RAT, along with pertinent information about each\r\ninstallation, such as IP address, OS, process identifier (PID), antivirus software, communication history, and next\r\nupdate interval.\r\nhttps://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nPage 5 of 6\n\nFigure 8: The list of commands for the control panel of the RAT (Source: Recorded Future)\r\nSelecting an infected system and bringing up a context menu allows the threat actor to interact with the RAT and\r\nexecute commands. As can be seen in Figure 8, several commands are available for managing and accessing\r\ninformation about the infected systems.\r\nThe IOCs for physical and in-memory files used in this attack are depicted in the table below.\r\nFile SHA-256\r\nsketch_jul31a.ino f778dccfe13b8597a0a9cbb61a204c03f8e166d7f7d5a21dfcf03d56bd2505c3\r\nwis.ps1 136095f5f529a891eabd8e04693c182f0701716fe051fa04825b5d2e0c85d1ae\r\n.NET assembly 6a3912016f3b41c8cb67a2bc3a6fb2597065d065a809f33288fe838693b7f9a0\r\nShellcode 0a23ad00d0c62dccae0a759ad4853cd514abd176cfa85ba2665e30f7bdc8bcc0\r\nRAT 09189108547ebf046c47f01f4645667e6816a126355ee963d5ad7b91167e4290\r\nOutlook and Conclusions\r\nThe use of trojanized USB devices for keystroke injection is not a new technique, even for FIN7. Typically the\r\nattack targets specific persons with access to the computer systems of the intended victim company. As FIN7 has\r\nrecently ventured into ransomware, it makes sense for them to look for alternative avenues of infecting computers\r\nthat are monitored by layers of protective systems, such as firewalls, email scanners, proxy servers, and endpoint\r\nsecurity. The tactics and techniques involved in trojanized USB attacks enable FIN7 actors to avoid many of these\r\nnetwork-level and endpoint protections by dispensing with malware transmission over the network, minimizing\r\nthe use of files on disk and employing multiple layers of encoding of the malware’s scripts and executable code. \r\nPertinently, FIN7 recently created “Bastion Secure”, a fake information security company, and employed system\r\nadministrators to unknowingly assist in system exploitation. It is possible that trojanized USBs are being\r\nconstructed and used by these administrators for penetration testing. Alternatively, they might also be providing\r\ntrojanized USBs to clients or prospective clients through some form of ruse (for example, telling the client it\r\ncontains documentation on the fake company’s services). In either case, the clients or prospective clients could\r\nbecome victims of a trojanized USB attack, resulting in FIN7 gaining unauthorized remote access to systems\r\nwithin victims’ networks.\r\nGemini Advisory Mission Statement\r\nGemini Advisory, a Recorded Future company, provides actionable fraud intelligence to the largest financial\r\norganizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical\r\nsolutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.\r\nSource: https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nhttps://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/" ], "report_names": [ "fin7-flash-drives-spread-remote-access-trojan" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3816ba3c0dfaf69558454dad8b632d54e63fe578.pdf", "text": "https://archive.orkl.eu/3816ba3c0dfaf69558454dad8b632d54e63fe578.txt", "img": "https://archive.orkl.eu/3816ba3c0dfaf69558454dad8b632d54e63fe578.jpg" } }