In March this year, the Seattle office of the FBI warmed that a cyberattack group known as FIN7 had targeted several companies using social engineering attacks. Until then, the group had been thought to be inactive.

Until then, this group had been financially motivated, and tended to carry out highly complex attacks. In fact, some sources have named the group Carbanak because of the malware it uses, which has the same name; we already addressed these advanced Living-off-the-Land attacks in a previous article. However, several cybersecurity analysts believe they could be two separate groups.

Physical and digital social engineering_

In this cyberattack, the group targeted top management, human resources, and the IT department in several major companies. However, this time they did not use a traditional phishing campaign, with email as an attack vector; instead, they used an ingenious social engineering technique, combining physical and digital bait. To do this, they followed these steps:


  • Physical Vector: A common vector for cyberattacks on conventional users is to employ fake promotions and gifts by displaying banners or pop-ups that can run malicious scripts. FIN7 followed a similar tactic, only they took the concept to the physical realm: a letter and a gift card claiming to be from the company Best Buy were sent to certain employees in large companies.
  • Lure: The supposed gift card didn’t come alone. It stated that the receiver had to use the USB stick that contained a list of prized to choose from. This way, through social engineering, victims were tricked into voluntarily plugging these devices into their computers.
  • Activation: The USB devices actually contained an Arduino microcontroller, which was programmed to emulate USB keyboards. The reason for this is that many conventional software solutions default to these keyboards without doing an additional scan. Once the connection is allowed, the pen drive injects a PowerShell command so that a remote server can send the malware, which can then be installed on the system.
  • Malware execution: Analysts have identified the malware as GRIFFON, a Javascript backdoor that has been used by the group in different ways. GRIFFON is designed to receive four modules separately, run in the system memory, and return the results to a server controlled by the cyberattacker:
    1. The first module performs reconnaissance on the compromised system.
    2. The second module executes the script in memory.
    3. The third module takes screenshots.
    4. The fourth module is designed so that the malware stays on the system permanently if the cyberattackers want it to.

Zero trust for external devices_

CISOs and heads of cybersecurity in large organizations often say that the first firewall or barrier against cyberattacks are the employees of an organization. In a case such as this, where the cyberattack uses physical means to carry out social engineering, it is clear: the pen drive contains complex technological elements and a piece of advanced malware called GRIFFON. However, if employees have doubts about where it has come from and don’t plug it in, it cannot run. This is why all staff at an organization should be aware of the fact that they shouldn’t, as a general rule, trust external physical devices, unless they are absolutely sure that they are legitimate.

However, this may not be enough; organizations need to have the support of advanced solutions that follow the same premise. In this sense, Cytomic clients have a zero-trust approach for all the applications they try to run on their endpoints; they are blocked until the can be validated by the Zero-Trust Application Service.

Cytomic EPDR includes this service, but it also integrates a full stack of preventive endpoint technologies into a single solution, with EDR capabilities that prevent, detect, and respond to any kind of known or unknown malware, as well as fileless and malwareless attacks. This way, even if cyberattackers use technologies that make their attack vectors seem legitimate (as FIN7 did by using USB keyboard emulators), every endpoint will be monitored and analyzed, since its default position is to assume that anything could be a threat.