Full Report
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting the USaBUSe stack from the custom hardware (AVR+ESP8266) to the Linux USB gadget stack. I wanted to make the techniques more accessible to people unfamiliar with embedded development, and I also wanted to take advantage of the variety of possibilities inherent in having a fully featured Linux environment to work in. I presented this work at HackCon in Norway.
Analysis Summary
# Tool/Technique: USaBUSe Linux Stack Port (Ported from AVR+ESP8266 to Linux USB Gadget)
## Overview
The USaBUSe project details the porting of an attack stack, originally on custom embedded hardware (AVR+ESP8266), to leverage the Linux USB Gadget stack on Single Board Computers (SBCs) like the Raspberry Pi Zero. The goal is to make USB-based hardware attack techniques more accessible and leverage the full capabilities of a Linux environment, primarily using HID emulation over USB to deliver payloads and establish covert communication channels.
## Technical Details
- Type: Tool / Framework (Hardware Attack Tool leveraging Host OS features)
- Platform: Linux SBCs (e.g., Raspberry Pi Zero, BeagleBone Black) acting as the attacker device; target is any system recognizing the USB device class (likely Windows/macOS/Linux hosts).
- Capabilities: Emulates a USB Human Interface Device (HID), provides a VNC server for high-speed text input emulation (keystroke injection), multiplexes multiple communication channels over the HID interface, and relays shells/connections back to the attacker.
- First Seen: The initial stack was likely presented previously; this update/port was presented at HackCon in Norway (March 2017 context).
## MITRE ATT&CK Mapping
Since USaBUSe acts as a physical access tool masquerading as a standard peripheral:
- **TA0003 - Persistence** (Indirectly, by establishing a command channel)
- **T1552.002 - Credentials from Password Stores** (If used to type commands to extract local credentials)
- **TA0005 - Defense Evasion**
- **T1070.004 - File Deletion** (If scripts are run to clean up traces)
- **TA0007 - Credential Access**
- **T1056.001 - Input Capture: Keylogging** (Via HID keystroke emulation)
- **TA0008 - Lateral Movement** (If payloads facilitate internal network access)
- **TA0010 - Command and Control**
- **T1090 - Proxy** (By tunneling connections over the HID channel)
- **TA0011 - Collection**
- **T1005 - Data from Local System** (Via command execution)
- **TA0016 - Lateral Movement**
- **T1572 - Protocol Tunneling** (Tunneling shell/Meterpreter sessions over the HID pipe)
## Functionality
### Core Capabilities
- **USB Gadget Configuration:** Uses shell scripts (`configure_USB.sh`) to set up the Linux device as a specific USB class (HID).
- **High-Speed Keystroke Injection (VNC Server):** A VNC server runs on the SBC, forwarding received keystrokes/mouse movements as HID reports. It incorporates logic to emit received text directly as keystrokes, achieving typing rates up to 300 characters per second.
- **HID Proxy Server:** Monitors the raw HID device, handles the initial PowerShell stage delivery over Channel 0, and de-multiplexes other communication channels into individual socket connections for the attacker.
- **PowerShell Payload Delivery:** Updated PowerShell stages are used to understand the new multiplexing protocol. The second stage initiates a CMD prompt on Channel 1.
### Advanced Features
- **Multiplexed Communication:** The system utilizes a protocol layered over the HID reports to manage multiple distinct connections concurrently (e.g., Command shell on Channel 1, and a high-port connection on Channel N).
- **Covert Shell Relaying:** It allows a standard shell (like `windows/shell_reverse_tcp` handler in Metasploit) to be captured on the victim's system, which then connects back to `localhost:65535` on the victim. This connection is fully tunneled back over the HID pipe, via the HIDProxy, and finally to the attacker's machine.
- **Meterpreter Staging:** Demonstrates upgrading the initial CMD shell to a full Meterpreter session without conventional network traffic leaving the victim's host network interface by tunneling the Meterpreter DLL transfer over the established localhost tunnel.
## Indicators of Compromise
*No specific file hashes or hardcoded C2 specific to the framework were provided, as the tool is highly customizable.*
- File Hashes: N/A (Source code available on GitHub)
- File Names: `usabuse_vnc` (VNC server binary), `hidproxy-1.0.0.one-jar.jar` (HID Proxy Java application).
- Registry Keys: N/A (Focus is on USB hardware/OS interaction, not persistence mechanisms on the victim).
- Network Indicators:
- HIDProxy default listening port: `*:65534` (For connection from the SBC/socat).
- Tunneling back to attacker's Metasploit Handler LPORT: `4444` (Localhost on victim).
- Victim connection port relayed via HIDProxy: `localhost:65535` (on the victim).
- Behavioral Indicators:
- Recognition of a newly attached, unrecognized, or emulated Human Interface Device (HID).
- High-frequency, continuous output matching character streams characteristic of automated typing.
- Attempted connection to high, ephemeral local ports on the victim system (e.g., `localhost:65535`) immediately following HID interaction.
## Associated Threat Actors
- SensePost (Developers/Researchers)
- *Note: As a generic hardware attack tool leveraging standard Linux functionality, it could be adopted by any advanced penetration testing team or sophisticated threat actor targeting air-gapped or physically accessible systems.*
## Detection Methods
- Signature-based detection: Signatures could be developed for the specific Java JAR file or compiled binaries if deployed widely.
- Behavioral detection: Monitoring USB connection events for unrecognized devices initiating device driver loading, combined with unusual high-volume data transmission patterns across the HID endpoint (especially text streams). Monitoring internal loopback traffic (localhost) destined for high ports immediately following peripheral interaction.
- YARA rules: N/A (No specific malware sample hashes provided).
## Mitigation Strategies
- **Physical Security:** Strict control over device access, especially for USB ports on sensitive machines. Consider enforcing USB device whitelisting via host OS policies (though challenging against generic HID emulation).
- **Host Hardening:** Disable or restrict the loading of drivers for unrecognized or unnecessary USB devices.
- **Behavioral Monitoring:** Implement endpoint detection and response (EDR) to watch for processes (like PowerShell or CMD) spawning reverse shells or initiating complex local network activity immediately after a physical interaction.
## Related Tools/Techniques
- USB Rubber Ducky / LAN Turtle (Similar physical attack vectors leveraging USB peripherals).
- Metasploit Framework (Used here as the capture/C2 handler).
- Powershell Empire (Mentioned as an alternative staging payload).
- Socat (Used here to forward the physical device file over a network connection for remote proxying).