This project demonstrates how USB keyboard emulation can be exploited using the Digispark ATtiny85 development board to swipe passwords saved in Google Chrome.
- Minimize time for attacker to keep device plugged in
- Fit initial exploit code onto limited flash memory on ATtiny85
- Leave no traces behind after victim has been pwned
- Victim plugs in unknown USB device with ATtiny and code implanted
- Attack executes
OR
- Victim leaves Windows computer unattended and unlocked to get some coffee
- Attacker approaches with hotspot (Ex. 'attwifi') This is only necessary if there are browsing restrictions on the host network
- Attacker plugs in ATtiny via USB and waits for red LED signal.
- Attacker unplugs device and flees the scene
- Attack executes
- AtTiny84 emulates keyboard
- Uses WINDOWS + R shortcut to open run prompt and open cmd and powershell
- Connects to attackers wifi hotspot to bypass potential browsing restrictions
- Uses powershell to download and decode Base64 encoded file stored in cloud
- Runs decoded file (orion.bat)
- Turns on LED on ATtiny so attacker knows to unplug and skrrt
- Attack continues after attacker leaves
- Writes and runs powershell script to download WindowsUpdate.exe from cloud
- Opens Microsoft Edge to hide ghost code execution from bystanders
- Decodes WindowsUpdate.exe from Base64
- Kills Chrome process so databases can be read
- Runs WindowsUpdate.exe
- deletes all files created previously to hide traces of tampering
- Uses chromepass https://github.com/hassaanaliw/chromepass to siphon passwords from Google Chrome.
- Uses MIME library to email passwords to attacker securely
- Update WindowsUpdate.py with valid email credentials.
- Use py2exe to compile into exe file (since most Windows PCs don't come with Python).
- In command prompt run: certutil -encode WindowsUpdate.exe "certification.txt"
- Upload certification.txt to cloud and replace link in orion.bat
- In command prompt run: certutil -encode orion.bat "emerald.txt"
- Upload emerald.txt to cloud and replace link in payload.ino
- Compile and upload payload.ino to ATtiny Device using Arduino IDE