Hey Forum, I was handed a USB stick by a stranger, directly to me with the claim that there was evidence on here that must be exposed.
This was not so out of context given the event that I was at as it was politically charged and probably crawling with hacktivists and APT’s.
Needless to say this USB stick isn’t going anywhere near any of my kit.
I am intrigued to see what’s on it however. Mostly its the reverse shell that I am interested in and confirming that there is in fact a reverse shell. I don’t want to expose myself to the person who gave it to me though.
I will run a packet capture to confirm if it does any callback attempts so thats that covered.
Any suggestions on how to best inspect it while maintaining anonymity?
A VM on my local machine probably isn’t wise as it will still have to plug into the host. I don’t really want the grief of having to rebuild one of my hardware devices after plugging it in either.
If you have a spare/burner device that would be a good place to start (“Sheep dip” is often used to describe these).
Also, you could try to game the attackers - they probably want to exploit a specific OS, so if you have something like an OpenBSD or Plan9 device it would be unlikely for an attack to work. Thats really all I can think of to give you some confidence you don’t need a full rebuild.
However, at a basic level, any device you connect it to is likely to become something you cant trust. Short of stripping the device and analysing the drives in a lab, there aren’t many other options.
As for the device itself - main things I’d go with are:
- Low priv account
- No networking
- extensive logging in place
- fakeDNS running
- snapshot before connection
- sysmon (etc) running to capture as much data as possible
- USBCap running to capture all data from as soon as the connection commences
Find an old early generation Raspbery Pi that is otherwise-gathering-dust and use that as a sacrificial device.
Just make sure whatever you plan on doing - you do it on an air gapped machine. The last thing you need is this thing infecting you and exfiling data from your device and/or talking with a C2.
Found myself in spear phishing attempt lately and sick to the bone they used a fam dying of c19 completely realistic scenario like I even talked to a “doctor” and send me video not sure what sick people do such a thing you think like maybe North Korea or who’s doing that? Perfect native speakers!! Makes me sick to the stomach so heartless I was crying for hours this is insane. And yeah he’s really dying they must found on FB or IDK these people deserve whatever prison.
So yeah no big deal technically I mean USB, Email all the same bs just run in VM and gateway to your own host or record it all or whatever pause VM if it’s too tight. Sandbox escape yeah maybe but gotta be fast they we’re not.
As Taz already mentioned: Having a spare hardware device is your best choice.
To gather initial information about the USB stick, I can suggest using usblock: GitHub - cddmp/usblock: A python tool which uses the Linux kernel's USB authorization support to lockdown USB devices (interfaces). Aimed to protect against (some) USB related attack vectors like malicious HID attacks.
When usblock is running, and you insert any USB device, it will prevent the kernel from fully initializing the device, but will only list the device characteristics the device pretends to support. That way, even a rubber ducky or malduino can’t do any harm, as they would show up as “HID devices” in that listing. But since it isn’t allowed to initialize, it can’t start typing fancy keyboard commands.
Once you confirmed that there is no rogue HID device, you can start further investigating the device’s content, while still not connected to any real network. You can use INetSim and/or FakeDNS to simulate a working network, and then investigate the tool logs to see where it tried to connect to (or use Wireshark).
Should it indeed be (or contain) a HID device, you can use USBCap to record the keystrokes it tries to perform.
Finally, while still not connected to any network, you can start investigating the content on the drive. All that should be done on a freshly installed (and fully patched) system without any personal data (not even your WiFi password; use a corded connection to install updates, then remove the cable) that might somehow tie to you.
You can use INetSim and/or FakeDNS to simulate a working network, and then investigate the tool logs to see where it tried to connect to (or use Wireshark).
Excellent point here - I always forget about INetSim. It is awesome.