Getting a flash drive via mail might sound as it came straight out of a spy novel, but unless you know exactly who sent it, it’s almost certainly carrying malware and should be disposed of, immediately.
In this particular case, the Federal Bureau of Investigation says the FIN7 group “impersonated Amazon and the US Department of Health & Human Services,” and sent numerous parcels using the United States Postal Service (USPS) and United Parcel Service (UPS). These parcels sometimes contained Covid-19 letter guidelines, and other times counterfeit gift cards, or thank you notes. Paired with these are flash drives with the LilyGO logo on them, which are relatively common online.
The devices carried malware which, as soon as plugged in, registers as a Human Interface Device (HID) Keyboard, allowing it to remain operational even after the drive was removed from the computer.
It then starts installing additional malware, with the end goal, according to the FBI, to install one of the more popular ransomware strains.
This is not the first time FIN7 mailed malware to people. BleepingComputer reminds us that two years ago, the same group impersonated Best Buy and mailed similar packages to hotels, restaurants, and retail businesses via USPS. Back then, they even called their targets on the phone to persuade them into connecting the devices, and in May 2020, they mailed teddy bears to “soften up” their victims.
The HID attacks only work when the target willingly connects the flash drive to the target device and can be avoided by having employees only connect USB devices based on their hardware ID or those that have been approved for use by the IT security team.